On Fri, Dec 11, 2009 at 12:22 AM, Kevin Darcy <k...@chrysler.com> wrote: > Gregory Machin wrote: >> >> Hi >> Please can you advise. I's been ages since I have configured dnssec . >> I used nsupdate (with dnssec) to update a zone file with all the host >> current ip's so that they are reachable via a host name even when the >> ip has changed (a dyndns.org type of thing). Everything seems to work >> fine named accepts the update and writes it to the .jnl file but when >> it try and ping the updated host name I get "ping: unknown host >> greg.za.protetor.net", and this is one the server running named. yet I >> the logs show >> >> Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view >> external: updating zone 'device.example.net/IN': deleting rrset at >> 'greg.device.example.net' A >> Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view >> external: updating zone 'device.example.net/IN': adding an RR at >> 'greg.device.example.net' A >> >> Which is correct from what I remember the last time I did this. >> >> my zone configuration: >> /etc/named.conf >> zone "device.example.net" { >> type master; >> file "/var/named/device.example.net.db"; >> allow-transfer { any; }; >> allow-update { key device.example.net; }; >> }; >> >> >> zone file: >> >> $ORIGIN . >> $TTL 3600 ; 1 hour >> device.example.net IN SOA ns1.example.net. ns2.example.net. ( >> 2009120805 ; serial >> 900 ; refresh (15 minutes) >> 600 ; retry (10 minutes) >> 86400 ; expire (1 day) >> 3600 ; minimum (1 hour) >> ) >> NS ns1.example.net. >> NS ns2.example.net. >> A 205.234.215.112 >> MX 0 server.example.net. >> $ORIGIN device.example.net. >> $TTL 60 ; 1 minute >> greg A 97.xxx.xxx.127 >> >> >> >> Running: >> BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5 >> >> >> > > First of all, are you talking about DNSSEC, or just plain Dynamic Update > (presumably crypto-authenticated if this is going to be a > publically-updateable zone)? I don't see any DNSSEC records in the zone file > you posted. > > Secondly, if you do an AXFR of the zone after the Dynamic Update, does it > reflect the change? > > Thirdly, on the machine which is originating the ping, how is it set up to > resolve names? Does it only use DNS? Does it only use *itself* for resolving > DNS? Is there some intermediate caching going on (e.g. nscd or equivalent)? > If so, have you waited long enough for the entries to expire from that > intermediate cache? > > - Kevin > > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
Hi kevin Just plain Dynamic Update with "crypto-authenticated" keys if I do a dig on r...@server [~]# dig @ns1.example.net device.example.net A +tcp ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>> @ns1.example.net device.example.net A +tcp ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44660 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;device.example.net. IN A ;; ANSWER SECTION: device.example.net. 3600 IN A 205.xxx.xxx.112 ;; AUTHORITY SECTION: device.example.net. 3600 IN NS ns1.example.net. device.example.net. 3600 IN NS ns2.example.net. ;; Query time: 1 msec ;; SERVER: 205.234.215.113#53(205.234.215.113) ;; WHEN: Fri Dec 11 03:30:08 2009 ;; MSG SIZE rcvd: 85 There should be an A record for a host greg.device.example.net. IN A 97.xxx.xxx.127 Yet if I cat the zone file there is a record greg A 97.xxx.xxx.127 I'm doing the ping on the dns server that is hosting the device.example.net zone .. Thanks for your assistance .. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users