On 04-Dec-22 21:34, vom513 wrote:
Hello all,So I set up parental-agents lists for my zones, and actually got to see it work (awesome !). bind detected the parent DS records and acted accordingly. However, I currently have these lists configured using the IP (v4 only at the moment) addresses of the parent NS’es. I tried inputting hostnames, and I got errors (i.e. syntax) every time. I would prefer to put these in as hostnames. While at a certain level in the tree these don’t change very often, they can and do. I’d rather not have to keep track of these in this manner. So my question - am I just mangling the syntax - or does this clause really only support IPs ? I was thinking if so - perhaps the reason is some chicken vs. egg / security reason ? I.e. not trusting the name (which would have to be itself resolved) ? Thanks in advance for clue++
Let the computer do the work.Assuming you have a TRUSTED resolver, a work-around for this sort of issue is to replace the definition with a 'include'.
Run a cron job that queries your resolver & writes the resolved IP address . You can template the include file. (Or the entire config, but I get confused when the main .conf file is modified frequently.)
e.g. I use something like this in other cases. Season to taste. Don't use 8.8.8.8...
include "myagents.conf" |myagents.conf.template||parental-agents port 99 { %host.example.com% key secret ; %host.example.net% key sesame; }||
||parental-agents port 96 { %host.example.edu% key password ; }||
||
||agent-update|
|#!/bin/bash
# Update IP addresses
IP4HOSTS="example.com example.edu"
IP6HOSTS="example.net"
TRUSTED="8.8.8.8"
CONF="myagents.conf"
trap "rm -f ${CONF}.tmp" EXIT
if ! cp -p "${CONF}.template" "${CONF}.tmp" ; then
exit 1
fi
function resolve () {
local HOST="$1" TYPE="$2" IP=""
if ! IP="$(dig +short "$HOST" "$TYPE" "@$TRUSTED")"; then
echo "Failed to resolve \"${HOST}\" \"$TYPE\"" >&2
exit 1
fi
if [ -z "$IP" ]; then
echo "Failed to resolve \"${HOST}\" \"$TYPE\"" >&2
exit 1
fi
sed -i "${CONF}.tmp" -e"s/%${HOST}%/${IP}/g"
}
for HOST in $IP4HOSTS; do
resolve "$HOST" "a"
done
for HOST in $IP6HOSTS; do
resolve "$HOST" "aaaa"
done
if ! mv "${CONF}.tmp" "${CONF}" ; then
exit
fi
exit 0
|
Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
OpenPGP_signature
Description: OpenPGP digital signature
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
