Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

dnssec updated zone data is not live ??

4 views
Skip to first unread message

Gregory Machin

unread,
Dec 10, 2009, 4:03:06 PM12/10/09
to bind-...@isc.org
Hi
Please can you advise. I's been ages since I have configured dnssec .
I used nsupdate (with dnssec) to update a zone file with all the host
current ip's so that they are reachable via a host name even when the
ip has changed (a dyndns.org type of thing). Everything seems to work
fine named accepts the update and writes it to the .jnl file but when
it try and ping the updated host name I get "ping: unknown host
greg.za.protetor.net", and this is one the server running named. yet I
the logs show

Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view
external: updating zone 'device.example.net/IN': deleting rrset at
'greg.device.example.net' A
Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view
external: updating zone 'device.example.net/IN': adding an RR at
'greg.device.example.net' A

Which is correct from what I remember the last time I did this.

my zone configuration:
/etc/named.conf
zone "device.example.net" {
type master;
file "/var/named/device.example.net.db";
allow-transfer { any; };
allow-update { key device.example.net; };
};


zone file:

$ORIGIN .
$TTL 3600 ; 1 hour
device.example.net IN SOA ns1.example.net. ns2.example.net. (
2009120805 ; serial
900 ; refresh (15 minutes)
600 ; retry (10 minutes)
86400 ; expire (1 day)
3600 ; minimum (1 hour)
)
NS ns1.example.net.
NS ns2.example.net.
A 205.234.215.112
MX 0 server.example.net.
$ORIGIN device.example.net.
$TTL 60 ; 1 minute
greg A 97.xxx.xxx.127

Running:
BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5


any suggestions would be welcome. I have run out of ideas and googles.

Kevin Darcy

unread,
Dec 10, 2009, 5:22:35 PM12/10/09
to bind-...@isc.org
First of all, are you talking about DNSSEC, or just plain Dynamic Update
(presumably crypto-authenticated if this is going to be a
publically-updateable zone)? I don't see any DNSSEC records in the zone
file you posted.

Secondly, if you do an AXFR of the zone after the Dynamic Update, does
it reflect the change?

Thirdly, on the machine which is originating the ping, how is it set up
to resolve names? Does it only use DNS? Does it only use *itself* for
resolving DNS? Is there some intermediate caching going on (e.g. nscd or
equivalent)? If so, have you waited long enough for the entries to
expire from that intermediate cache?

- Kevin

Gregory Machin

unread,
Dec 11, 2009, 4:52:43 AM12/11/09
to Kevin Darcy, bind-...@isc.org
> _______________________________________________
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>

Hi kevin
Just plain Dynamic Update with "crypto-authenticated" keys

if I do a dig on
root@server [~]# dig @ns1.example.net device.example.net A +tcp

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>> @ns1.example.net
device.example.net A +tcp
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44660
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;device.example.net. IN A

;; ANSWER SECTION:
device.example.net. 3600 IN A 205.xxx.xxx.112

;; AUTHORITY SECTION:
device.example.net. 3600 IN NS ns1.example.net.
device.example.net. 3600 IN NS ns2.example.net.

;; Query time: 1 msec
;; SERVER: 205.234.215.113#53(205.234.215.113)
;; WHEN: Fri Dec 11 03:30:08 2009
;; MSG SIZE rcvd: 85

There should be an A record for a host greg.device.example.net. IN A
97.xxx.xxx.127
Yet if I cat the zone file there is a record

greg A 97.xxx.xxx.127

I'm doing the ping on the dns server that is hosting the
device.example.net zone ..

Thanks for your assistance ..

Kevin Darcy

unread,
Dec 17, 2009, 2:50:15 PM12/17/09
to bind-...@isc.org
Cat'ing the zone file is no longer reliable once you've enabled a zone
for Dynamic Update. There might be updates in the log file which haven't
been committed to the actual zone file yet. That's why I recommended
that you use an AXFR of the zone to check for changes recently made.


- Kevin

Niobos

unread,
Dec 18, 2009, 3:06:19 AM12/18/09
to bind-...@isc.org
On 17 Dec 2009, at 20:50, Kevin Darcy wrote:
> Cat'ing the zone file is no longer reliable once you've enabled a zone for Dynamic Update. There might be updates in the log file which haven't been committed to the actual zone file yet. That's why I recommended that you use an AXFR of the zone to check for changes recently made.

Or do an "rndc freeze example.net". This will stop dynamic updates to the zone and commit the logfile to the zonefile. Be sure to do an "rndc unfreeze example.net" when you're done to reenable dynamic updates.

Alan Clegg

unread,
Dec 18, 2009, 5:39:15 AM12/18/09
to bind-...@isc.org

"rndc thaw [zone]" is the documented way to resume dynamic updates.

I'd also recommend getting acquainted with "named-journalprint"
(formerly just "journalprint") which will allow you to see the deltas
that have been made to a given zone without taking that zone into
"frozen" state.

AlanC

Chris Thompson

unread,
Dec 18, 2009, 8:03:02 AM12/18/09
to bind-...@lists.isc.org

There is also the -j option of named-checkzone (combined with writing
out a clean version with -D & -o), but unfortunately that only works
if the journal is named using the default "add .jnl to the zone file
name" convention.

Altogether, using AXFR is the thing to get used to using in this
context. (If you disable zone transfers generally, at least allow
them on the loopback interface.) Then start using "masterfile-format
raw", and forget about thinking of zone files are something human
readable ...

--
Chris Thompson
Email: ce...@cam.ac.uk

0 new messages