parental-agents clause - IP address only ?

Mon Dec 5 12:16:35 UTC 2022

On 04-Dec-22 21:34, vom513 wrote:
> Hello all,
>
> So I set up parental-agents lists for my zones, and actually got to see it work (awesome !).  bind detected the parent DS records and acted accordingly.
>
> However, I currently have these lists configured using the IP (v4 only at the moment) addresses of the parent NS’es.  I tried inputting hostnames, and I got errors (i.e. syntax) every time.
>
> I would prefer to put these in as hostnames.  While at a certain level in the tree these don’t change very often, they can and do.  I’d rather not have to keep track of these in this manner.
>
> So my question - am I just mangling the syntax - or does this clause really only support IPs ?  I was thinking if so - perhaps the reason is some chicken vs. egg / security reason ?  I.e. not trusting the name (which would have to be itself resolved) ?
>
> Thanks in advance for clue++

Let the computer do the work.

Assuming you have a TRUSTED resolver, a work-around for this sort of 
issue is to replace the definition with a 'include'.

Run a cron job that queries your resolver & writes the resolved IP 
address .  You can template the include file. (Or the entire config, but 
I get confused when the main .conf file is modified frequently.)

e.g. I use something like this in other cases.  Season to taste. Don't 
use 8.8.8.8...

include "myagents.conf"

|myagents.conf.template|

|parental-agents port 99 { %host.example.com% key secret ; 
%host.example.net% key sesame; }||
||parental-agents port 96 { %host.example.edu% key password ; }||
||
||agent-update|

|#!/bin/bash

# Update IP addresses

IP4HOSTS="example.com example.edu"
IP6HOSTS="example.net"

TRUSTED="8.8.8.8"
CONF="myagents.conf"

trap "rm -f ${CONF}.tmp" EXIT
if ! cp -p "${CONF}.template" "${CONF}.tmp" ; then
     exit 1
fi

function resolve () {
     local HOST="$1" TYPE="$2" IP=""
     if ! IP="$(dig +short "$HOST" "$TYPE" "@$TRUSTED")"; then
         echo "Failed to resolve \"${HOST}\" \"$TYPE\"" >&2
         exit 1
     fi
     if [ -z "$IP" ]; then
         echo "Failed to resolve \"${HOST}\" \"$TYPE\"" >&2
         exit 1
     fi
     sed -i "${CONF}.tmp" -e"s/%${HOST}%/${IP}/g"
}

for HOST in $IP4HOSTS; do
     resolve "$HOST" "a"
done
for HOST in $IP6HOSTS; do
     resolve "$HOST" "aaaa"
done
if ! mv "${CONF}.tmp" "${CONF}" ; then
     exit
fi

exit 0
|

Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221205/5cebff3c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221205/5cebff3c/attachment.sig>