Re: DDNS and allow-update declarations
I did some testing with this couple a months ago and it seams like AD is following the NS directive in the SOA. The design I used in my test-case was to put AD as an authoritative updater of the specified zone on my master, once updated the BIND master was responsible for updating the slaves. Something you can do is add NS records in AD pointing at your BIND slave-servers for the zone, and vice versa configure your slaves to have the AD as master for the zone, what I've experienced is that updates of new records tends to be REALLY slow, thus I would go with the first option. /Jonathan On Wed, Dec 10, 2008 at 8:17 AM, Nicholas F Miller [EMAIL PROTECTED] wrote: I have a couple of questions regarding how a Microsoft domain controller updates a dynamic zone. 1 ) When a domain controller tries to update the zone does it try the DNS servers it has listed in its network settings or does it follow the SOA for the zone? 2) In the configs below does the slave server's IP need to be listed in the allow-update declaration on the master zone server? Master Server - 1.2.3.4 zone actived.example.com { type master; file named.ad; allow-update { 1.2.3.4;// master DNS server 11.22.33.44; // domain controller 1 55.66.77.88.99; // domain controller 2 }; allow-transfer { 5.6.7.8 // slave DNS server; }; }; Slave Server - 5.6.7.8 zone actived.example.com { type slave; file named.ad; allow-update-forwarding { 11.22.33.44; // domain controller 1 55.66.77.88.99; // domain controller 2 }; allow-transfer { none; }; masters { 1.2.3.4 // master DNS server }; }; Thanks, Nicholas Miller, ITS, University of Colorado at Boulder ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS and allow-update declarations
Nicholas F Miller [EMAIL PROTECTED] wrote: I have a couple of questions regarding how a Microsoft domain controller updates a dynamic zone. 1 ) When a domain controller tries to update the zone does it try the DNS servers it has listed in its network settings or does it follow the SOA for the zone? 2) In the configs below does the slave server's IP need to be listed in the allow-update declaration on the master zone server? Master Server - 1.2.3.4 zone actived.example.com { type master; file named.ad; allow-update { 1.2.3.4;// master DNS server 11.22.33.44; // domain controller 1 55.66.77.88.99; // domain controller 2 }; allow-transfer { 5.6.7.8 // slave DNS server; }; }; Slave Server - 5.6.7.8 zone actived.example.com { type slave; file named.ad; allow-update-forwarding { 11.22.33.44; // domain controller 1 55.66.77.88.99; // domain controller 2 }; allow-transfer { none; }; masters { 1.2.3.4 // master DNS server }; }; 1) All updates for a zone need to be sent to the master server for that zone, as only the master can perform updates. And one cannot assume that updates sent to a slave server will be forwarded to the master. And the only place in DNS where the master server is listed is in the SOA record. 2) I am not sure of the answer. If a DNS update is sent to a slave server and then forwarded to the master, I assume that the master will see the request as coming from the real source and not from the forwarding slave server. So, I assume that the slave server is not updating the master, and thus does not need to be listed in the allow-update declaration. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: [EMAIL PROTECTED] Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS and allow-update declarations
Barry Jonathan, Thanks for the quick replies. your responses go along with my findings as well. I am trying to clean up some of our configs. The DDNS zones just didn't look right to me and I wanted to confirm what I was thinking. Jonathan, I tested things on a test DC by pointing it at a DNS server here that wasn't athoritative for its zone. When I made a change the update happened almost immediately on the master server. This behavior follows the logic of updates following the SOA. Barry, from what I can find I don't think the slave needs to be listed nor does the master in the allow-update directive. If I have time tomorrow I might test this out in our test AD. Nicholas Miller, ITS, University of Colorado at Boulder On Dec 10, 2008, at 10:42 AM, Jonathan Petersson wrote: I did some testing with this couple a months ago and it seams like AD is following the NS directive in the SOA. The design I used in my test-case was to put AD as an authoritative updater of the specified zone on my master, once updated the BIND master was responsible for updating the slaves. Something you can do is add NS records in AD pointing at your BIND slave-servers for the zone, and vice versa configure your slaves to have the AD as master for the zone, what I've experienced is that updates of new records tends to be REALLY slow, thus I would go with the first option. /Jonathan On Dec 10, 2008, at 10:48 AM, [EMAIL PROTECTED] wrote: 1) All updates for a zone need to be sent to the master server for that zone, as only the master can perform updates. And one cannot assume that updates sent to a slave server will be forwarded to the master. And the only place in DNS where the master server is listed is in the SOA record. 2) I am not sure of the answer. If a DNS update is sent to a slave server and then forwarded to the master, I assume that the master will see the request as coming from the real source and not from the forwarding slave server. So, I assume that the slave server is not updating the master, and thus does not need to be listed in the allow-update declaration. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS and allow-update declarations
On Wed, Dec 10, 2008 at 4:00 PM, Mark Andrews [EMAIL PROTECTED] wrote: In message [EMAIL PROTECTED], Nicholas F Mille r writes: I have a couple of questions regarding how a Microsoft domain controller updates a dynamic zone. 1 ) When a domain controller tries to update the zone does it try the DNS servers it has listed in its network settings or does it follow the SOA for the zone? There are knowledge base article which describe this fully. I suggest that you search the Microsoft knowledge base for the complete answer. http://www.microsoft.com/technet/archive/interopmigration/linux/mvc/cfgbind.mspx?mfr=true cut ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users