I do not know why nsupdate in m0n0wall does not use the MNAME field in
the domains SOA record but I was able to resolve the problem because
bind versions 9.1.0 and later support update forwarding in slave
configurations using the allow-update-forwarding in zone configurations.
Anyone with bind versions older than that are out of luck though.
Adam Gibson wrote:
> nsupdate on m0n0wall is trying to send updates to a slave server instead
> of the master bind nameserver specified in the MNAME portion of the
> domain to be updated's SOA record. This is causing some updates to get
> lost because it fails after it tries to send it to the slave server.
> Interestingly there are no errors by nsupdate(executing it manually
> through exec.php) about the failure but a trace of the network traffic
> shows that it is definitely getting denied by the slave server(as the
> slave should should reject it).
> According to all the information I can find nsupdate is supposed to send
> updates to the master DNS server. It obtains that by querying the SOA
> record of the domain being updated. This however is not what is being
> observed. Nsupdate on m0n0wall seems to just randomly use one of the NS
> records for the domain to send updates to because sometimes it sends
> updates to a slave server which are rejected.
> *note: server1.somedomain.com and server2.somedomain.com are just used
> as example dns server hostnames
> I have checked the SOA and server1 is specified in the SOA as the MNAME.
> server1.somedomain.com and server2.somedomain.com is used for NS
> records. For some reason nsupdates are sometimes going to server2 which
> is not in the MNAME section of the SOA.
> This is the text I found so far explaining how you can override which
> server gets the updates and what happens by default if that is left out.
> The nsupdatecmds file in /var/etc/ is what seems to be generated for
> the nsupdate configuration.
> "server servername [ port ]
> Sends all dynamic update requests to the name server servername.
> When no server statement is provided, nsupdate will send updates to the
> master server of the correct zone. The MNAME field of that zone's SOA
> record will identify the master server for that zone. port is the port
> number on servername where the dynamic update requests get sent. If no
> port number is specified, the default DNS port number of 53 is used."
> I can add the server part to the nsupdatecmds file manually to force the
> updates to the master server according to this information but that of
> course is not a good solution when the firewall reboots.
> Does anyone know why nsupdate on m0n0wall behaves this way? Is it just
> an old version of nsupdate?
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch