Re: BIND and rndc

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On Sat, 2005-12-17 at 13:24 -0300, |Lord_Zoo| wrote:
> > So, then, I should not use rndc with bind?
> 
> You can.  You can use it as you want to.  I've used it to stop the
> server, you should also be able to get it to refresh/reload slaves zones
> from the master, but I've had marginal success with that (yes, I have
> got the keys set right, if anybody's about to make that suggestion).

Most of the refresh/reload problems I have encountered were caused
because I neglected to give the new Zone file a new higher, serial
number in the Start of Authority (SOA) record.  BTW, I use a 10 digit
number generated from YYYMMDDNN.  where YYYYMMDD is the year month and
day of the update and NN is the number of changes on the date.  NN is
helpful, if like me you do not always type accurately.  At my former
job we did occasionally update the tables more than once a day.

There are other related matters affecting zone transfers.  The refresh
and retry times in the SOA, and also the send notifies configuration item
in the named.conf.

A confession: After getting things (keys and configuration items) set
up, and assuming that there are NO typos in the zone file(s) the zone
transfers work flawlessly. How do I know?  I check every one, "Just to
be sure." :-)

I also used rndc to reload the tables and obtain status, but I used
/etc/init.d/named [start/stop/restart/status/reload] to accomplish the
tasks to invoke rndc.

> > If so, then this could be more easier, since I then I could assign an
> > ACL of the server to wich send transfers or get from.
> 
> Ideally, you want your systms to take care of themselves.  Properly
> setting up master and slave servers will do that.
> 
> > The question is because, by default, bind come with rndc in fedora,
> > and I don't wanted to create a new problem by disabling it.
> 
> It's just a tool, there's no obligation to use it.  You don't really
> have to disable it either, as you can set named to only pay attention to
> rndc on the local box (i.e. not be exploitable, remotely).

IIRC it is true that you will     need to check and/or configure  the
key on that system. It has  been a long time since I had to set up a
completely fresh DNS  server.

dlg

> -- 
> Don't send private replies to my address, the mailbox is ignored.
> I read messages from the public lists.
> 
> -- 
> fedora-list mailing list
> fedora-list@xxxxxxxxxx
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux