In message <CAMTzf0FCAt=zg3+ozkayyxzdtduwhumbbzzsz0zomojbheh...@mail.gmail.com> , Bojan Tomic writes: > > Thanks Phil! > > I've tried "allow-update-forwarding", but my understanding is that this > option only works for slave servers!? What i'm looking for is dynamic > update forwarding from non-authoritative server. Can allow-update-forwarding > also work with non-authoritative server? We are building an internal > closed solution so source IP checking is not necessary.
No there is no support for forwarding updates except when configured as a slave server. Also TSIG signatures are preserved when UPDATE requests are forwarded. TSIG was designed to allow signed messages to be forwarded. The ID field is not covered by the the TSIG to allow the message to be forwarded. The slave does NOT have to know the shared TSIG secret. > On Wed, Oct 2, 2013 at 8:56 AM, Phil Mayers <p.may...@imperial.ac.uk> wrote: > > > On 10/02/2013 07:51 AM, Bojan Tomic wrote: > > > >> Hi, > >> > >> I'm looking for a way to setup a recursive/forwarding named server to > >> forward dynamic updates > >> > > > > See "allow-update-forwarding" in the ARM. Obviously you will lose source > > IP / TSIG key info, so will need to perform access checks at the forwarding > > server, and allow everything you need at the target server from the > > source/key of the forwarder. > > ______________________________**_________________ > > Please visit https://lists.isc.org/mailman/**listinfo/bind-users<https://li > sts.isc.org/mailman/listinfo/bind-users>to unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/**listinfo/bind-users<https://lists.isc.org/m > ailman/listinfo/bind-users> > > > > --001a1130ca2e6daa0d04e7be076f > Content-Type: text/html; charset=ISO-8859-1 > Content-Transfer-Encoding: quoted-printable > > <div dir=3D"ltr">Thanks Phil!<div><br></div><div>I've tried=A0<span sty= > le=3D"font-family:arial,sans-serif;font-size:13px">=A0</span><font face=3D"= > arial, sans-serif">"allow-update-forwarding", but my=A0understand= > ing=A0is that this option only works for slave servers!? What i'm looki= > ng for is dynamic update forwarding from non-authoritative server. Can=A0</= > font><span style=3D"font-family:arial,sans-serif">allow-update-forwarding a= > lso work with non-</span><font face=3D"arial, sans-serif">authoritative ser= > ver?</font><span style=3D"font-family:arial,sans-serif">=A0 We are building= > an internal closed solution so source IP checking is not necessary.</span>= > </div> > <div><font face=3D"arial, sans-serif"><br></font></div><div class=3D"gmail_= > extra"><br><br><div class=3D"gmail_quote">On Wed, Oct 2, 2013 at 8:56 AM, P= > hil Mayers <span dir=3D"ltr"><<a href=3D"mailto:p.may...@imperial.ac.uk"= > target=3D"_blank">p.may...@imperial.ac.uk</a>></span> wrote:<br> > <blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-= > left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p= > adding-left:1ex"><div class=3D"im">On 10/02/2013 07:51 AM, Bojan Tomic wrot= > e:<br> > > <blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-= > left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p= > adding-left:1ex"> > Hi,<br> > <br> > I'm looking for a way to setup a recursive/forwarding named server to<b= > r> > forward dynamic updates<br> > </blockquote> > <br></div> > See "allow-update-forwarding" in the ARM. Obviously you will lose= > source IP / TSIG key info, so will need to perform access checks at the fo= > rwarding server, and allow everything you need at the target server from th= > e source/key of the forwarder.<br> > > ______________________________<u></u>_________________<br> > Please visit <a href=3D"https://lists.isc.org/mailman/listinfo/bind-users" = > target=3D"_blank">https://lists.isc.org/mailman/<u></u>listinfo/bind-users<= > /a> to unsubscribe from this list<br> > <br> > bind-users mailing list<br> > <a href=3D"mailto:bind-users@lists.isc.org" target=3D"_blank">bind-users@li= > sts.isc.org</a><br> > <a href=3D"https://lists.isc.org/mailman/listinfo/bind-users" target=3D"_bl= > ank">https://lists.isc.org/mailman/<u></u>listinfo/bind-users</a><br> > </blockquote></div><br></div></div> > > --001a1130ca2e6daa0d04e7be076f-- > > --===============7893024926507508332== > Content-Type: text/plain; charset="us-ascii" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > Content-Disposition: inline > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > --===============7893024926507508332==-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users