Re: adding DS record via nsupdate
On 02/06/2013 12:56 AM, Doug Barton wrote: I do the following as an example: nsupdate -d server ip addr zone test.net update add subzone.test.net IN DS 34845 7 1 325AA7B83FAC7DB621678EB2FB9035B51A0A504F I don't think this makes sense. Shouldn't you have a proper zone for subzone.test.net? What utility would a DS record have in this location? Eh? DS records always live in the parent zone, exactly like delegating NS records. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: adding DS record via nsupdate
Precisely ! That is why one of the sanity checks is if NS records exist at all. If not, no DS records will be added. And reversely : if all NS records are removed, any DS record will be removed as well. Just as Mark Andrews indicated. Kind regards, Marc Lampo On Wed, Feb 6, 2013 at 9:59 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 02/06/2013 12:56 AM, Doug Barton wrote: I do the following as an example: nsupdate -d server ip addr zone test.net update add subzone.test.net IN DS 34845 7 1 325AA7B83FAC7DB621678EB2FB9035B51A0A504F I don't think this makes sense. Shouldn't you have a proper zone for subzone.test.net? What utility would a DS record have in this location? Eh? DS records always live in the parent zone, exactly like delegating NS records. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: adding DS record via nsupdate
Of course. Thank you. -- Jack Tavares How many more can we sell with this button? From: Mark Andrews [ma...@isc.org] Sent: Tuesday, February 05, 2013 19:58 To: Andrew Latham Cc: Jack Tavares; bind-us...@isc.org Subject: Re: adding DS record via nsupdate The update code has sanity checks. You can only add DS records where delegating NS records exist. If you remove a delegating NS rrset any DS records there will also be removed. This check is done after all the records have been processed. Mark server 127.0.0.1 zone example key key.dv.isc.org update add oo.example 0 ns drugs.dv.isc.org update add oo.example 0 DS 10288 5 1 22F103696F795206A7373850444C6F4DA61D0076 send ; DiG 9.10.0pre-alpha isc.org oo.example ds +norec ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 60240 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;oo.example.IN DS ;; ANSWER SECTION: oo.example. 0 IN DS 10288 5 1 22F103696F795206A7373850444C6F4DA61D0076 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Feb 06 14:57:45 EST 2013 ;; MSG SIZE rcvd: 163 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: adding DS record via nsupdate
On 02/06/2013 12:59 AM, Phil Mayers wrote: On 02/06/2013 12:56 AM, Doug Barton wrote: I do the following as an example: nsupdate -d server ip addr zone test.net update add subzone.test.net IN DS 34845 7 1 325AA7B83FAC7DB621678EB2FB9035B51A0A504F I don't think this makes sense. Shouldn't you have a proper zone for subzone.test.net? What utility would a DS record have in this location? Eh? DS records always live in the parent zone, exactly like delegating NS records. Yeah, sorry, I had somehow substituted DNSKEY in my mind ... weird. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
adding DS record via nsupdate
Hello - I am trying to add a DS record via nsupdate and I can't get it to succeed. It does not generate an error, but when I dig for the DS record I get NXDOMAIN. What I edit the zone file and add the same DS record and reload, I can query it just fine. I do the following as an example: nsupdate -d server ip addr zone test.net update add subzone.test.net IN DS 34845 7 1 325AA7B83FAC7DB621678EB2FB9035B51A0A504F send The output is Sending update to ip#53 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 45236 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0 ;; ZONE SECTION: ;test.net. IN SOA ;; UPDATE SECTION: subzone.test.net. IN DS 34845 7 1 325AA7B83FAC7DB621678EB2FB9035B51A0A504F Reply from update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 45236 ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; ZONE SECTION: ;test.net. IN SOA end Dig results dig @ip +noadflag +nocdflag -t ds subzone.test.net. ; DiG 9.8.4-P1 @ip -t ds subzone.test.net. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 21747 ;; flags: qr aa rd cd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;subzone.test.net. IN DS ;; AUTHORITY SECTION: test.net. 500 IN SOA .test.net. hostmaster..test.net. 2013010938 10800 3600 604800 86400 When I put the DS record in the zone manually: tail zonefile: subzone.test.net. IN DS 34845 7 1 325AA7B83FAC7DB621678EB2FB9035B51A0A504F and do a dig, it works: dig @ip -t ds subzone.test.net. ; DiG 9.8.4-P1 @ip -t ds subzone.test.net. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 21326 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;subzone.test.net. IN DS ;; ANSWER SECTION: subzone.test.net. IN DS 34845 7 1 325AA7B83FAC7DB621678EB2FB9035B51A0A504F ;; Query time: 0 msec Should this work? Thank you -- Jack Tavares ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: adding DS record via nsupdate
On Tue, Feb 5, 2013 at 6:30 PM, Jack Tavares j.tava...@f5.com wrote: Hello - I am trying to add a DS record via nsupdate and I can't get it to succeed. It does not generate an error, but when I dig for the DS record I get NXDOMAIN. What I edit the zone file and add the same DS record and reload, I can query it just fine. I do the following as an example: nsupdate -d server ip addr zone test.net update add subzone.test.net IN DS 34845 7 1 325AA7B83FAC7DB621678EB2FB9035B51A0A504F send The output is Sending update to ip#53 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 45236 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0 ;; ZONE SECTION: ;test.net. IN SOA ;; UPDATE SECTION: subzone.test.net. IN DS 34845 7 1 325AA7B83FAC7DB621678EB2FB9035B51A0A504F Reply from update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 45236 ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; ZONE SECTION: ;test.net. IN SOA end Dig results dig @ip +noadflag +nocdflag -t ds subzone.test.net. ; DiG 9.8.4-P1 @ip -t ds subzone.test.net. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 21747 ;; flags: qr aa rd cd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;subzone.test.net. IN DS ;; AUTHORITY SECTION: test.net. 500 IN SOA .test.net. hostmaster..test.net. 2013010938 10800 3600 604800 86400 When I put the DS record in the zone manually: tail zonefile: subzone.test.net. IN DS 34845 7 1 325AA7B83FAC7DB621678EB2FB9035B51A0A504F and do a dig, it works: dig @ip -t ds subzone.test.net. ; DiG 9.8.4-P1 @ip -t ds subzone.test.net. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 21326 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;subzone.test.net. IN DS ;; ANSWER SECTION: subzone.test.net. IN DS 34845 7 1 325AA7B83FAC7DB621678EB2FB9035B51A0A504F ;; Query time: 0 msec Should this work? Thank you -- Jack Tavares First guess is that the Serial is not getting updated correctly. -- ~ Andrew lathama Latham lath...@gmail.com http://lathama.net ~ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: adding DS record via nsupdate
On 02/05/2013 03:30 PM, Jack Tavares wrote: Hello - I am trying to add a DS record via nsupdate and I can't get it to succeed. It does not generate an error, but when I dig for the DS record I get NXDOMAIN. What I edit the zone file and add the same DS record and reload, I can query it just fine. I do the following as an example: nsupdate -d server ip addr zone test.net update add subzone.test.net IN DS 34845 7 1 325AA7B83FAC7DB621678EB2FB9035B51A0A504F I don't think this makes sense. Shouldn't you have a proper zone for subzone.test.net? What utility would a DS record have in this location? Doug ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: adding DS record via nsupdate
The update code has sanity checks. You can only add DS records where delegating NS records exist. If you remove a delegating NS rrset any DS records there will also be removed. This check is done after all the records have been processed. Mark server 127.0.0.1 zone example key key.dv.isc.org update add oo.example 0 ns drugs.dv.isc.org update add oo.example 0 DS 10288 5 1 22F103696F795206A7373850444C6F4DA61D0076 send ; DiG 9.10.0pre-alpha isc.org oo.example ds +norec ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 60240 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;oo.example.IN DS ;; ANSWER SECTION: oo.example. 0 IN DS 10288 5 1 22F103696F795206A7373850444C6F4DA61D0076 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Feb 06 14:57:45 EST 2013 ;; MSG SIZE rcvd: 163 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users