[prev in list] [next in list] [prev in thread] [next in thread]
List: bind-users
Subject: [Fwd: Re: dnssec updated zone data is not live ??]
From: Kevin Darcy <kcd () chrysler ! com>
Date: 2009-12-17 19:52:40
Message-ID: 4B2A8C08.7050407 () chrysler ! com
[Download RAW message or body]
Sorry, I meant "journal file", not "log file".
Also, your original message states that the change was written to the
journal. How are you checking that? Using something like "journalprint"?
I'd still recommend doing an AXFR if you want to know what's _really_ in
the zone on the master.
- Kevin
["Re: dnssec updated zone data is not live ??.eml" (message/rfc822)]
X-Mozilla-Keys:
Message-ID: <4B2A8B77.4010509@chrysler.com>
Date: Thu, 17 Dec 2009 14:50:15 -0500
From: Kevin Darcy <kcd@chrysler.com>
User-Agent: Thunderbird 2.0.0.6 (X11/20070802)
MIME-Version: 1.0
To: bind-users@isc.org
Subject: Re: dnssec updated zone data is not live ??
References: <30200a940912101303h66ed8abbrfa016299401cdc@mail.gmail.com>
<4B2174AB.9080406@chrysler.com>
<30200a940912110152j114964f9naf8597ab1aae1554@mail.gmail.com>
In-Reply-To: <30200a940912110152j114964f9naf8597ab1aae1554@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Gregory Machin wrote:
> On Fri, Dec 11, 2009 at 12:22 AM, Kevin Darcy <kcd@chrysler.com> wrote:
>
>> Gregory Machin wrote:
>>
>>> Hi
>>> Please can you advise. I's been ages since I have configured dnssec .
>>> I used nsupdate (with dnssec) to update a zone file with all the host
>>> current ip's so that they are reachable via a host name even when the
>>> ip has changed (a dyndns.org type of thing). Everything seems to work
>>> fine named accepts the update and writes it to the .jnl file but when
>>> it try and ping the updated host name I get "ping: unknown host
>>> greg.za.protetor.net", and this is one the server running named. yet I
>>> the logs show
>>>
>>> Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view
>>> external: updating zone 'device.example.net/IN': deleting rrset at
>>> 'greg.device.example.net' A
>>> Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view
>>> external: updating zone 'device.example.net/IN': adding an RR at
>>> 'greg.device.example.net' A
>>>
>>> Which is correct from what I remember the last time I did this.
>>>
>>> my zone configuration:
>>> /etc/named.conf
>>> zone "device.example.net" {
>>> type master;
>>> file "/var/named/device.example.net.db";
>>> allow-transfer { any; };
>>> allow-update { key device.example.net; };
>>> };
>>>
>>>
>>> zone file:
>>>
>>> $ORIGIN .
>>> $TTL 3600 ; 1 hour
>>> device.example.net IN SOA ns1.example.net. ns2.example.net. (
>>> 2009120805 ; serial
>>> 900 ; refresh (15 minutes)
>>> 600 ; retry (10 minutes)
>>> 86400 ; expire (1 day)
>>> 3600 ; minimum (1 hour)
>>> )
>>> NS ns1.example.net.
>>> NS ns2.example.net.
>>> A 205.234.215.112
>>> MX 0 server.example.net.
>>> $ORIGIN device.example.net.
>>> $TTL 60 ; 1 minute
>>> greg A 97.xxx.xxx.127
>>>
>>>
>>>
>>> Running:
>>> BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5
>>>
>>>
>>>
>>>
>> First of all, are you talking about DNSSEC, or just plain Dynamic Update
>> (presumably crypto-authenticated if this is going to be a
>> publically-updateable zone)? I don't see any DNSSEC records in the zone file
>> you posted.
>>
>> Secondly, if you do an AXFR of the zone after the Dynamic Update, does it
>> reflect the change?
>>
>> Thirdly, on the machine which is originating the ping, how is it set up to
>> resolve names? Does it only use DNS? Does it only use *itself* for resolving
>> DNS? Is there some intermediate caching going on (e.g. nscd or equivalent)?
>> If so, have you waited long enough for the entries to expire from that
>> intermediate cache?
>>
>> - Kevin
>>
>> _______________________________________________
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>>
>
> Hi kevin
> Just plain Dynamic Update with "crypto-authenticated" keys
>
> if I do a dig on
> root@server [~]# dig @ns1.example.net device.example.net A +tcp
>
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>> @ns1.example.net
> device.example.net A +tcp
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44660
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;device.example.net. IN A
>
> ;; ANSWER SECTION:
> device.example.net. 3600 IN A 205.xxx.xxx.112
>
> ;; AUTHORITY SECTION:
> device.example.net. 3600 IN NS ns1.example.net.
> device.example.net. 3600 IN NS ns2.example.net.
>
> ;; Query time: 1 msec
> ;; SERVER: 205.234.215.113#53(205.234.215.113)
> ;; WHEN: Fri Dec 11 03:30:08 2009
> ;; MSG SIZE rcvd: 85
>
> There should be an A record for a host greg.device.example.net. IN A
> 97.xxx.xxx.127
> Yet if I cat the zone file there is a record
>
> greg A 97.xxx.xxx.127
>
> I'm doing the ping on the dns server that is hosting the
> device.example.net zone ..
>
>
Cat'ing the zone file is no longer reliable once you've enabled a zone
for Dynamic Update. There might be updates in the log file which haven't
been committed to the actual zone file yet. That's why I recommended
that you use an AXFR of the zone to check for changes recently made.
- Kevin
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic