Gregory Machin wrote:
On Fri, Dec 11, 2009 at 12:22 AM, Kevin Darcy <k...@chrysler.com> wrote:
Gregory Machin wrote:
Hi
Please can you advise. I's been ages since I have configured dnssec .
I used nsupdate (with dnssec) to update a zone file with all the host
current ip's so that they are reachable via a host name even when the
ip has changed (a dyndns.org type of thing). Everything seems to work
fine named accepts the update and writes it to the .jnl file but when
it try and ping the updated host name I get "ping: unknown host
greg.za.protetor.net", and this is one the server running named. yet I
the logs show
Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view
external: updating zone 'device.example.net/IN': deleting rrset at
'greg.device.example.net' A
Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view
external: updating zone 'device.example.net/IN': adding an RR at
'greg.device.example.net' A
Which is correct from what I remember the last time I did this.
my zone configuration:
/etc/named.conf
zone "device.example.net" {
type master;
file "/var/named/device.example.net.db";
allow-transfer { any; };
allow-update { key device.example.net; };
};
zone file:
$ORIGIN .
$TTL 3600 ; 1 hour
device.example.net IN SOA ns1.example.net. ns2.example.net. (
2009120805 ; serial
900 ; refresh (15 minutes)
600 ; retry (10 minutes)
86400 ; expire (1 day)
3600 ; minimum (1 hour)
)
NS ns1.example.net.
NS ns2.example.net.
A 205.234.215.112
MX 0 server.example.net.
$ORIGIN device.example.net.
$TTL 60 ; 1 minute
greg A 97.xxx.xxx.127
Running:
BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5
First of all, are you talking about DNSSEC, or just plain Dynamic Update
(presumably crypto-authenticated if this is going to be a
publically-updateable zone)? I don't see any DNSSEC records in the zone file
you posted.
Secondly, if you do an AXFR of the zone after the Dynamic Update, does it
reflect the change?
Thirdly, on the machine which is originating the ping, how is it set up to
resolve names? Does it only use DNS? Does it only use *itself* for resolving
DNS? Is there some intermediate caching going on (e.g. nscd or equivalent)?
If so, have you waited long enough for the entries to expire from that
intermediate cache?
- Kevin
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Hi kevin
Just plain Dynamic Update with "crypto-authenticated" keys
if I do a dig on
r...@server [~]# dig @ns1.example.net device.example.net A +tcp
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>> @ns1.example.net
device.example.net A +tcp
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44660
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;device.example.net. IN A
;; ANSWER SECTION:
device.example.net. 3600 IN A 205.xxx.xxx.112
;; AUTHORITY SECTION:
device.example.net. 3600 IN NS ns1.example.net.
device.example.net. 3600 IN NS ns2.example.net.
;; Query time: 1 msec
;; SERVER: 205.234.215.113#53(205.234.215.113)
;; WHEN: Fri Dec 11 03:30:08 2009
;; MSG SIZE rcvd: 85
There should be an A record for a host greg.device.example.net. IN A
97.xxx.xxx.127
Yet if I cat the zone file there is a record
greg A 97.xxx.xxx.127
I'm doing the ping on the dns server that is hosting the
device.example.net zone ..
Cat'ing the zone file is no longer reliable once you've enabled a zone
for Dynamic Update. There might be updates in the log file which haven't
been committed to the actual zone file yet. That's why I recommended
that you use an AXFR of the zone to check for changes recently made.
- Kevin
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
