Re: adding DS record via nsupdate
On 02/06/2013 12:59 AM, Phil Mayers wrote: On 02/06/2013 12:56 AM, Doug Barton wrote: I do the following as an example: nsupdate -d server zone test.net update add subzone.test.net IN DS 34845 7 1 325AA7B83FAC7DB621678EB2FB9035B51A0A504F I don't think this makes sense. Shouldn't you have a proper zone for subzone.test.net? What utility would a DS record have in this location? Eh? DS records always live in the parent zone, exactly like delegating NS records. Yeah, sorry, I had somehow substituted DNSKEY in my mind ... weird. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: adding DS record via nsupdate
Of course. Thank you. -- Jack Tavares "How many more can we sell with this button?" From: Mark Andrews [ma...@isc.org] Sent: Tuesday, February 05, 2013 19:58 To: Andrew Latham Cc: Jack Tavares; bind-us...@isc.org Subject: Re: adding DS record via nsupdate The update code has sanity checks. You can only add DS records where delegating NS records exist. If you remove a delegating NS rrset any DS records there will also be removed. This check is done after all the records have been processed. Mark > server 127.0.0.1 > zone example > key key.dv.isc.org > update add oo.example 0 ns drugs.dv.isc.org > update add oo.example 0 DS 10288 5 1 > 22F103696F795206A7373850444C6F4DA61D0076 > send > ; <<>> DiG 9.10.0pre-alpha <<>> isc.org oo.example ds +norec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60240 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;oo.example.IN DS ;; ANSWER SECTION: oo.example. 0 IN DS 10288 5 1 22F103696F795206A7373850444C6F4DA61D0076 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Feb 06 14:57:45 EST 2013 ;; MSG SIZE rcvd: 163 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: adding DS record via nsupdate
Precisely ! That is why one of the sanity checks is if NS records exist at all. If not, no DS records will be added. And reversely : if all NS records are removed, any DS record will be removed as well. Just as Mark Andrews indicated. Kind regards, Marc Lampo On Wed, Feb 6, 2013 at 9:59 AM, Phil Mayers wrote: > On 02/06/2013 12:56 AM, Doug Barton wrote: > >>> I do the following as an example: >>> >>> nsupdate -d >>> server >>> zone test.net >>> update add subzone.test.net IN DS 34845 7 1 >>> 325AA7B83FAC7DB621678EB2FB9035B51A0A504F >> >> >> I don't think this makes sense. Shouldn't you have a proper zone for >> subzone.test.net? What utility would a DS record have in this location? >> > > Eh? DS records always live in the parent zone, exactly like delegating NS > records. > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: adding DS record via nsupdate
On 02/06/2013 12:56 AM, Doug Barton wrote: I do the following as an example: nsupdate -d server zone test.net update add subzone.test.net IN DS 34845 7 1 325AA7B83FAC7DB621678EB2FB9035B51A0A504F I don't think this makes sense. Shouldn't you have a proper zone for subzone.test.net? What utility would a DS record have in this location? Eh? DS records always live in the parent zone, exactly like delegating NS records. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: adding DS record via nsupdate
The update code has sanity checks. You can only add DS records where delegating NS records exist. If you remove a delegating NS rrset any DS records there will also be removed. This check is done after all the records have been processed. Mark > server 127.0.0.1 > zone example > key key.dv.isc.org > update add oo.example 0 ns drugs.dv.isc.org > update add oo.example 0 DS 10288 5 1 > 22F103696F795206A7373850444C6F4DA61D0076 > send > ; <<>> DiG 9.10.0pre-alpha <<>> isc.org oo.example ds +norec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60240 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;oo.example.IN DS ;; ANSWER SECTION: oo.example. 0 IN DS 10288 5 1 22F103696F795206A7373850444C6F4DA61D0076 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Feb 06 14:57:45 EST 2013 ;; MSG SIZE rcvd: 163 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: adding DS record via nsupdate
On 02/05/2013 03:30 PM, Jack Tavares wrote: Hello - I am trying to add a DS record via nsupdate and I can't get it to succeed. It does not generate an error, but when I dig for the DS record I get NXDOMAIN. What I edit the zone file and add the same DS record and reload, I can query it just fine. I do the following as an example: nsupdate -d server zone test.net update add subzone.test.net IN DS 34845 7 1 325AA7B83FAC7DB621678EB2FB9035B51A0A504F I don't think this makes sense. Shouldn't you have a proper zone for subzone.test.net? What utility would a DS record have in this location? Doug ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: adding DS record via nsupdate
On Tue, Feb 5, 2013 at 6:30 PM, Jack Tavares wrote: > Hello - > > I am trying to add a DS record via nsupdate and I can't get it to succeed. > > It does not generate an error, but when I dig for the DS record I get > NXDOMAIN. > > What I edit the zone file and add the same DS record and reload, I can query > it > just fine. > > I do the following as an example: > > nsupdate -d > server > zone test.net > update add subzone.test.net IN DS 34845 7 1 > 325AA7B83FAC7DB621678EB2FB9035B51A0A504F > send > > The output is > Sending update to #53 > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 45236 > ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0 > ;; ZONE SECTION: > ;test.net. IN SOA > > ;; UPDATE SECTION: > subzone.test.net. IN DS 34845 7 1 > 325AA7B83FAC7DB621678EB2FB9035B51A0A504F > > > Reply from update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 45236 > ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; ZONE SECTION: > ;test.net. IN SOA > > > > Dig results > > dig @ +noadflag +nocdflag -t ds subzone.test.net. > > ; <<>> DiG 9.8.4-P1 <<>> @ -t ds subzone.test.net. > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21747 > ;; flags: qr aa rd cd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > ;; WARNING: recursion requested but not available > > ;; QUESTION SECTION: > ;subzone.test.net. IN DS > > ;; AUTHORITY SECTION: > test.net. 500 IN SOA .test.net. > hostmaster..test.net. 2013010938 10800 3600 604800 86400 > > > When I put the DS record in the zone manually: > > tail : > subzone.test.net. IN DS 34845 7 1 > 325AA7B83FAC7DB621678EB2FB9035B51A0A504F > > and do a dig, it works: > dig @ -t ds subzone.test.net. > > ; <<>> DiG 9.8.4-P1 <<>> @ -t ds subzone.test.net. > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21326 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > ;; WARNING: recursion requested but not available > > ;; QUESTION SECTION: > ;subzone.test.net. IN DS > > ;; ANSWER SECTION: > subzone.test.net. IN DS 34845 7 1 > 325AA7B83FAC7DB621678EB2FB9035B51A0A504F > > ;; Query time: 0 msec > > Should this work? > Thank you > > -- > Jack Tavares First guess is that the Serial is not getting updated correctly. -- ~ Andrew "lathama" Latham lath...@gmail.com http://lathama.net ~ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
adding DS record via nsupdate
Hello - I am trying to add a DS record via nsupdate and I can't get it to succeed. It does not generate an error, but when I dig for the DS record I get NXDOMAIN. What I edit the zone file and add the same DS record and reload, I can query it just fine. I do the following as an example: nsupdate -d server zone test.net update add subzone.test.net IN DS 34845 7 1 325AA7B83FAC7DB621678EB2FB9035B51A0A504F send The output is Sending update to #53 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 45236 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0 ;; ZONE SECTION: ;test.net. IN SOA ;; UPDATE SECTION: subzone.test.net. IN DS 34845 7 1 325AA7B83FAC7DB621678EB2FB9035B51A0A504F Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 45236 ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; ZONE SECTION: ;test.net. IN SOA Dig results dig @ +noadflag +nocdflag -t ds subzone.test.net. ; <<>> DiG 9.8.4-P1 <<>> @ -t ds subzone.test.net. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21747 ;; flags: qr aa rd cd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;subzone.test.net. IN DS ;; AUTHORITY SECTION: test.net. 500 IN SOA .test.net. hostmaster..test.net. 2013010938 10800 3600 604800 86400 When I put the DS record in the zone manually: tail : subzone.test.net. IN DS 34845 7 1 325AA7B83FAC7DB621678EB2FB9035B51A0A504F and do a dig, it works: dig @ -t ds subzone.test.net. ; <<>> DiG 9.8.4-P1 <<>> @ -t ds subzone.test.net. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21326 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;subzone.test.net. IN DS ;; ANSWER SECTION: subzone.test.net. IN DS 34845 7 1 325AA7B83FAC7DB621678EB2FB9035B51A0A504F ;; Query time: 0 msec Should this work? Thank you -- Jack Tavares ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
