Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

dynamic DNS updates using nsupdate - which view is updated?

1,429 views
Skip to first unread message

Per Jessen

unread,
Jan 23, 2006, 9:14:30 AM1/23/06
to
Apologies if you're receiving multiple copies of this - I tried posting
via USENET (comp.protocols.dns.bind), but that didn't seem to work.

My name-server serves two different views depending on the client.
Both views include the same zone, but with different zone-files.
If I were to use nsupdate to do dynamic updates of this
zone, which view/zone-file should I expect to be updated? The clients
are generally external, and the updates would be coming from a local
host.


/Per Jessen, Zürich (-2.94 °C)

--
http://www.spamchek.com/ - managed anti-spam and anti-virus solution.
Let us analyse your spam- and virus-threat - up to 2 months for free.


Dave Clark

unread,
Jan 23, 2006, 9:50:26 AM1/23/06
to
If the updates are made locally, then the local zone is what would be
updated. More modern versions of BIND can accept a key in the address match
list of a view. That way if you want to update a local zone with the key
'key.local.zone' then you include 'key.local.zone' in your local view
address match list.

Dave

Per Jessen

unread,
Jan 23, 2006, 10:14:49 AM1/23/06
to
Dave Clark wrote:

> If the updates are made locally, then the local zone is what would be
> updated. More modern versions of BIND can accept a key in the address
> match list of a view. That way if you want to update a local zone
> with the key 'key.local.zone' then you include 'key.local.zone' in
> your local view address match list.

I'm using bind 9.2.3. Let me try to explain what's puzzling me:

I have view 1 and view 2 that both serve zone A (with different
zone-files). Local hosts see view 1, externals hosts see view 1 or 2.
What you're saying is that when I use nsupdate from a local host, view 1
is updated? How would I go about updating view 2 using nsupdate?


/Per Jessen, Zürich (-3.63 °C)

Dave Clark

unread,
Jan 23, 2006, 10:21:20 AM1/23/06
to
You'll need to include the zone's key in view 2's address match list. I'm
not sure if this is supported by BIND 9.2.3.

Dave

----- Original Message -----
From: "Per Jessen" <p...@computer.org>
To: <bind-...@isc.org>

Per Jessen

unread,
Jan 23, 2006, 10:29:42 AM1/23/06
to
Dave Clark wrote:

> You'll need to include the zone's key in view 2's address match list.
> I'm not sure if this is supported by BIND 9.2.3.

It looks as if it is. Thanks - it wasn't obvious that nsupdate would go
through all available views and update the zone(s) with the appropriate
key.


/Per Jessen, Zürich (-3.75 °C)

Dave Clark

unread,
Jan 23, 2006, 10:33:28 AM1/23/06
to
nsupdate doesn't do it. BIND looks at the key used to authenticate the
transfer before selecting which view to search for the zone.

Dave

----- Original Message -----
From: "Per Jessen" <p...@computer.org>
To: <bind-...@isc.org>
Sent: Monday, January 23, 2006 10:29 AM
Subject: Re: dynamic DNS updates using nsupdate - which view is updated?

Per Jessen

unread,
Jan 25, 2006, 8:22:38 AM1/25/06
to
Dave Clark wrote:

> nsupdate doesn't do it. BIND looks at the key used to authenticate
> the transfer before selecting which view to search for the zone.
> Dave

Sorry, that's what I meant to say too.
Anyway, I've been trying this out and I'm not getting very far.

I've got 4 views: "local", "sat01", "sat99", and "world". "local" is
for local consumption, "sat01" and "sat99" are each for dedicated
specific client-addresses and/or -ranges and "world" is obviously for
everybody else.

This is my config:

view "sat99" {
match-clients { 192.168.67.0/24; key helium.; };
recursion no;
include "/etc/named.d/sat99.conf";
};

/etc/named.d/sat99.conf:

key helium. {
algorithm hmac-md5;
secret "cb4DdGo8jUY4DLEt2aH+YQ==";
};

zone "test.net" {
type master;
file "master/test.net.99";
notify yes;
allow-update { key helium.; };
};


>From a local host (192.168.2.113), I then try to update view "sat99"
using the following input to nsupdate:

server 192.168.2.104
zone spamchek.net
key helium. cb4DdGo8jUY4DLEt2aH+YQ==
update delete x.test.net. IN A
update add x.test.net. 300 IN A 1.2.3.4
show
send


The target server at 192.168.2.104 hits on the first applicable zone
according to IP-address and fails as 192.168.2.113 is not allowed to
update anything in view "local". But it doesn't go through the
remaining views to see if a key matches anywhere? I can sort of
understand why this is, but does it mean I cannot have nsupdate a view
other than the first select (by IP) ?

/Per Jessen, Zürich (-0.50 °C)


Mark Andrews

unread,
Jan 25, 2006, 5:12:30 PM1/25/06
to

Reorder the list of views and/or used negation in the acls.

acl localaddresses { .... };

views local {
match-clients { ! key helium.; localaddresses; };

};

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_A...@isc.org


Per Jessen

unread,
Jan 26, 2006, 2:12:02 AM1/26/06
to
Mark Andrews wrote:

>
> Reorder the list of views and/or used negation in the acls.
>
> acl localaddresses { .... };
>
> views local {
> match-clients { ! key helium.; localaddresses; };
>
> };

Thanks for taking a look Mark - after some tinkering, I did end up
reordering the views, but your suggestion of negation in the acls is
interesting - I wasn't aware of that option.

/Per Jessen, Zürich (-1.25 °C)


0 new messages