Stephen Gran on 21 Feb 2005 22:15:53 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] bind9 not allowing WinXp clients to update DDNS


On Mon, Feb 21, 2005 at 04:19:23PM -0500, Mike Leone said:
> Stephen Gran wrote:
> 
> Ready for this? :-)
> 
> Feb 21 16:14:05 mail named[1557]: client 192.168.100.73#2099: updating
> zone 'mike-leone.com/IN': update failed: 'RRset exists (value
> dependent)' prerequisite not satisfied (NXRRSET)
> Feb 21 16:14:05 mail named[1557]: client 192.168.100.73#2102: updating
> zone 'mike-leone.com/IN': adding an RR
> Feb 21 16:14:05 mail named[1557]: journal file
> /etc/bind/mike-leone.com.hosts.jnl does not exist, creating it
> Feb 21 16:14:05 mail named[1557]: client 192.168.100.73#2105: updating
> zone '100.168.192.in-addr.arpa/IN': deleting an rrset
> Feb 21 16:14:05 mail named[1557]: client 192.168.100.73#2105: updating
> zone '100.168.192.in-addr.arpa/IN': adding an RR
> Feb 21 16:14:05 mail named[1557]: journal file
> /etc/bind/192.168.100.ptrs.jnl does not exist, creating it
> Feb 21 16:14:06 mail named[1557]: client 192.168.100.73#2112: updating
> zone '100.168.192.in-addr.arpa/IN': deleting an rrset
> Feb 21 16:14:06 mail named[1557]: client 192.168.100.73#2112: updating
> zone '100.168.192.in-addr.arpa/IN': adding an RR
> 
> 
> Note the location of the journal file. Also, I changed the named.conf:
> 
> ----------------------------------------------
> acl "home" { 192.168.100.0/24; 127.0.0.1;};
> 
> zone "mike-leone.com" {
>         type master;
>         file "/etc/bind/mike-leone.com.hosts";

That's why they're writing to /etc/bind - it's because that's where your
zone files are.  I guessed that finally in a previous email, but it's
nice to know.

>         allow-update {home; };
> };
> 
> zone "100.168.192.in-addr.arpa" {
>         type master;
>         file "/etc/bind/192.168.100.ptrs";
>         allow-update {home; };
> };
> ----------------------------------------------
> 
> I also changed the /etc/bind directory to be chmod a+w.

Probably only needs to be writable for the user bind and rndc are
running as, but as you say, it's a low threat system.

> Yeah, I know, I know - it's supposed to be insecure, allowing updates by
> IP rather than by key. But it's a local DNS server, so I may just live
> with it.

Probably fine, until the WinXP box gets taken over by a rogue 14 year old
that wants to make all your queries return 'UR.p0wn3d.mike-leone.com' :)

Glad it's working,
-- 
 --------------------------------------------------------------------------
|  Stephen Gran                  | A citizen of America will cross the     |
|  steve@lobefin.net             | ocean to fight for democracy, but won't |
|  http://www.lobefin.net/~steve | cross the street to vote in a national  |
|  			         | election.   -- Bill Vaughan             |
 --------------------------------------------------------------------------

Attachment: pgpF9F5Gmd9Za.pgp
Description: PGP signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug