named configuration

Chris Buxton cbuxton at menandmice.com
Thu Jan 8 18:10:58 UTC 2009 

On Jan 8, 2009, at 7:09 AM, Oliver Block wrote:
> Hello everybody,
>
> I am responsible for a so called vServer. I did not pay much  
> attention to the
> nameserver setup as yet. But now I'd like to configure our named  
> correctly in
> order to use dynamic updates for subdomains later.
>
> preface: I hope you don't mind that I obscure the output because I  
> don't
>              want to feed bots scanning this mailing list.
>
> When I call
>
> dig mydomain.org NS
>
> I get
>
> ;; QUESTION SECTION:
> ;mydomain.org.               IN      NS
>
> ;; ANSWER SECTION:
> mydomain.org.        1616    IN      NS      ns.myisp.net.
> mydomain.org.        1616    IN      NS      ns2.myisp.net.
>
> as nameservers. When I do the same for a subdomain, e.g.
>
> dig sub.mydomain.org NS
>
> I receive the following response:
>
> ;; QUESTION SECTION:
> ;sub.mydomain.org.                IN      NS
>
> ;; AUTHORITY SECTION:
> mydomain.org.        1666    IN      SOA     ns.myisp.net.
> hostmaster.myisp.net. 2007062401 28800 1800 604800 86400
>
> Which options do I have to run our named (in order to use dynamic  
> updates for
> subdomains)?

First, an explanation of the result you're seeing for the second  
query. This is a negative answer, meaning that sub.mydomain.org does  
not exist.

Now, to your question, do you want to add records for subdomains to  
the mydomain.org zone or do you want to create all new subzones? If  
the latter, it can't be done via dynamic update - there's no way to  
create a new zone on the server without modifying the configuration  
files.

If you instead just want to create sub.mydomain.org in the  
mydomain.org zone, all you have to do is add the allow-update (or  
update-policy) statement to your zone statement on the master. You  
should use TSIG keys if possible, or GSS-TSIG if you must, in  
preference to insecure updates. You should also enable update  
forwarding on ns2.myisp.net, which is especially easy if you use TSIG  
or GSS-TSIG signatures.

Please read the relevant sections of the BIND 9 ARM regarding dynamic  
updates and transaction signatures.
https://www.isc.org/software/bind/documentation/arm95#Bv9ARM.ch04
https://www.isc.org/software/bind/documentation/arm95#dynamic_update_security

Chris Buxton
Professional Services
Men & Mice

More information about the bind-users mailing list