subject:" DDNS and allow\-update declarations"

Re: DDNS and allow-update declarations

2008-12-10 Thread Jonathan Petersson

I did some testing with this couple a months ago and it seams like AD is
following the NS directive in the SOA.

The design I used in my test-case was to put AD as an authoritative updater
of the specified zone on my master, once updated the BIND master was
responsible for updating the slaves.

Something you can do is add NS records in AD pointing at your BIND
slave-servers for the zone, and vice versa configure your slaves to have the
AD as master for the zone, what I've experienced is that updates of new
records tends to be REALLY slow, thus I would go with the first option.

/Jonathan

On Wed, Dec 10, 2008 at 8:17 AM, Nicholas F Miller 
[EMAIL PROTECTED] wrote:

 I have a couple of questions regarding how a Microsoft domain controller
 updates a dynamic zone.

 1 ) When a domain controller tries to update the zone does it try the DNS
 servers it has listed in its network settings or does it follow the SOA for
 the zone?

 2) In the configs below does the slave server's IP need to be listed in the
 allow-update declaration on the master zone server?

 Master Server - 1.2.3.4

 zone actived.example.com {
type master;
file named.ad;
allow-update {
1.2.3.4;// master DNS server
11.22.33.44; // domain controller 1
55.66.77.88.99; // domain controller 2
};
allow-transfer {
5.6.7.8 // slave DNS server;
};
 };

 Slave Server - 5.6.7.8

 zone actived.example.com {
type slave;
file named.ad;
allow-update-forwarding {
11.22.33.44; // domain controller 1
55.66.77.88.99; // domain controller 2
};
allow-transfer { none; };
masters {
1.2.3.4 // master DNS server
};
 };

 Thanks,
 
 Nicholas Miller, ITS, University of Colorado at Boulder

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DDNS and allow-update declarations

2008-12-10 Thread bsfinkel

Nicholas F Miller [EMAIL PROTECTED] wrote:

I have a couple of questions regarding how a Microsoft domain  
controller updates a dynamic zone.

1 ) When a domain controller tries to update the zone does it try the  
DNS servers it has listed in its network settings or does it follow  
the SOA for the zone?

2) In the configs below does the slave server's IP need to be listed  
in the allow-update declaration on the master zone server?

Master Server - 1.2.3.4

zone actived.example.com {
 type master;
 file named.ad;
 allow-update {
   1.2.3.4;// master DNS server
 11.22.33.44; // domain controller 1
 55.66.77.88.99; // domain controller 2
 };
 allow-transfer {
 5.6.7.8 // slave DNS server;
 };
};

Slave Server - 5.6.7.8

zone actived.example.com {
 type slave;
 file named.ad;
 allow-update-forwarding {
 11.22.33.44; // domain controller 1
 55.66.77.88.99; // domain controller 2
 };
 allow-transfer { none; };
 masters {
 1.2.3.4 // master DNS server
 };
};

1) All updates for a zone need to be sent to the master server for that
   zone, as only the master can perform updates.  And one cannot assume
   that updates sent to a slave server will be forwarded to the
   master.  And the only place in DNS where the master server is listed
   is in the SOA record.

2) I am not sure of the answer.  If a DNS update is sent to a slave
   server and then forwarded to the master, I assume that the master
   will see the request as coming from the real source and not from
   the forwarding slave server.  So, I assume that the slave server is
   not updating the master, and thus does not need to be listed in the
   allow-update declaration.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 222, Room D209  Internet: [EMAIL PROTECTED]
Argonne, IL   60439-4828 IBMMAIL:  I1004994
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DDNS and allow-update declarations

2008-12-10 Thread Nicholas F Miller


Barry  Jonathan,

Thanks for the quick replies. your responses go along with my findings  
as well. I am trying to clean up some of our configs. The DDNS zones  
just didn't look right to me and I wanted to confirm what I was  
thinking.


Jonathan, I tested things on a test DC by pointing it at a DNS server  
here that wasn't athoritative for its zone. When I made a change the  
update happened almost immediately on the master server. This behavior  
follows the logic of updates following the SOA.


Barry, from what I can find I don't think the slave needs to be listed  
nor does the master in the allow-update directive. If I have time  
tomorrow I might test this out in our test AD.


Nicholas Miller, ITS, University of Colorado at Boulder

On Dec 10, 2008, at 10:42 AM, Jonathan Petersson wrote:

I did some testing with this couple a months ago and it seams like  
AD is following the NS directive in the SOA.


The design I used in my test-case was to put AD as an authoritative  
updater of the specified zone on my master, once updated the BIND  
master was responsible for updating the slaves.


Something you can do is add NS records in AD pointing at your BIND  
slave-servers for the zone, and vice versa configure your slaves to  
have the AD as master for the zone, what I've experienced is that  
updates of new records tends to be REALLY slow, thus I would go with  
the first option.


/Jonathan


On Dec 10, 2008, at 10:48 AM, [EMAIL PROTECTED] wrote:

1) All updates for a zone need to be sent to the master server for  
that

  zone, as only the master can perform updates.  And one cannot assume
  that updates sent to a slave server will be forwarded to the
  master.  And the only place in DNS where the master server is listed
  is in the SOA record.

2) I am not sure of the answer.  If a DNS update is sent to a slave
  server and then forwarded to the master, I assume that the master
  will see the request as coming from the real source and not from
  the forwarding slave server.  So, I assume that the slave server is
  not updating the master, and thus does not need to be listed in the
  allow-update declaration.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DDNS and allow-update declarations

2008-12-10 Thread Jonathan Petersson

On Wed, Dec 10, 2008 at 4:00 PM, Mark Andrews [EMAIL PROTECTED] wrote:


 In message [EMAIL PROTECTED], Nicholas F
 Mille
 r writes:
  I have a couple of questions regarding how a Microsoft domain
  controller updates a dynamic zone.
 
  1 ) When a domain controller tries to update the zone does it try the
  DNS servers it has listed in its network settings or does it follow
  the SOA for the zone?

 There are knowledge base article which describe this fully.
I suggest that you search the Microsoft knowledge base for
the complete answer.


http://www.microsoft.com/technet/archive/interopmigration/linux/mvc/cfgbind.mspx?mfr=true

 cut 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DDNS and allow-update declarations

Re: DDNS and allow-update declarations

Re: DDNS and allow-update declarations

Re: DDNS and allow-update declarations

4 matches

Site Navigation

Mail list logo

Footer information