For any named gurus out there, I'm running BIND9 as a caching nameserver
under Debian etch.

This works fine, I can resolve most of my local network, as well as the wide
world.

However, I'm puzzled by a message which appears regularly in my daemon.log
(coincidental with my laptop renewing its lease with DHCP):

Jul 29 11:51:03 tony-lx named[2441]: client 192.168.10.10#56047: updating
zone 'magpieway.net/IN': update unsuccessful: TONY-XP.magpieway.net/A:
'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
Jul 29 11:51:03 tony-lx named[2441]: client 192.168.10.10#65194: update
'magpieway.net/IN' denied

magpieway.net is my local domain, and 192.168.10.10 is my (win XP wireless)
laptop; the IP is assigned via DHCP, and should reverse resolve as
tony-lw.magpieway.net, but doesn't (It's not in the zone file, of course).

The question: What does this message mean, and how do I make it go away, and
how do I get my zone file updated with dhcp clients?

Cheers, Tony.
-- 
Tony van der Hoff       | mailto:news_0711@vanderhoff.org
Buckinghamshire, England

Tony van der Hoff  wrote:
>
> Jul 29 11:51:03 tony-lx named[2441]: client 192.168.10.10#56047: updating
> zone 'magpieway.net/IN': update unsuccessful: TONY-XP.magpieway.net/A:
> 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
> Jul 29 11:51:03 tony-lx named[2441]: client 192.168.10.10#65194: update
> 'magpieway.net/IN' denied
>
> magpieway.net is my local domain, and 192.168.10.10 is my (win XP wireless)
> laptop; the IP is assigned via DHCP, and should reverse resolve as
> tony-lw.magpieway.net, but doesn't (It's not in the zone file, of course).
>
> The question: What does this message mean, and how do I make it go away, and
> how do I get my zone file updated with dhcp clients?

It looks to me as if your DHCP server is trying to send dynamic updates
and your nameserver is rejecting these updates because it is not
configured to accept them.  You do have to configure bind explicitly to
allow this.  The bind documentation does cover it but here's a friendly
article on the subject:

mages/online/training/computer-trainin.html

-- 
Bruce

Bitterly it mathinketh me, that I spent mine wholle lyf in the lists
against the ignorant.  -- Roger Bacon, "Doctor Mirabilis"

On 29 Jul at 16:22 Bruce Richardson  wrote in message
<slrng8ucfv.6ga.itsbruce@store.bruce>

> Tony van der Hoff  wrote:
>>
> > Jul 29 11:51:03 tony-lx named[2441]: client 192.168.10.10#56047:
> > updating zone 'magpieway.net/IN': update unsuccessful:
> > TONY-XP.magpieway.net/A: 'RRset exists (value dependent)' prerequisite
> > not satisfied (NXRRSET) Jul 29 11:51:03 tony-lx named[2441]: client
> > 192.168.10.10#65194: update 'magpieway.net/IN' denied
>>
> > magpieway.net is my local domain, and 192.168.10.10 is my (win XP
> > wireless) laptop; the IP is assigned via DHCP, and should reverse
> > resolve as tony-lw.magpieway.net, but doesn't (It's not in the zone
> > file, of course).
>>
> > The question: What does this message mean, and how do I make it go away,
> > and how do I get my zone file updated with dhcp clients?
>
> It looks to me as if your DHCP server is trying to send dynamic updates
> and your nameserver is rejecting these updates because it is not
> configured to accept them.  You do have to configure bind explicitly to
> allow this.  The bind documentation does cover it but here's a friendly
> article on the subject:
>
> mages/online/training/computer-trainin.html
>

Thanks for that, Bruce; I figured it would be something like that. The BIND
documentation hurts my head.

Could you perhaps review that link? I tried .../computer-training.htm, but
no joy.

Cheers, Tony

-- 
Tony van der Hoff       | mailto:news_0711@vanderhoff.org
Buckinghamshire, England

Tony van der Hoff  wrote:
> For any named gurus out there, I'm running BIND9 as a caching nameserver
> under Debian etch.

As an important side issue to your actual question, please make sure
that you upgrade it ASAP. You may (or may not) have read about the DNS
exploits that are being talked about right now, but essentially it allows
attackers to poison one's DNS cache so that names map to the wrong IP
addresses. (Can you say bank website spoofing?)

Chris

On 29 Jul at 17:31 Chris Davies  wrote in message


> Tony van der Hoff  wrote:
> > For any named gurus out there, I'm running BIND9 as a caching nameserver
> > under Debian etch.
>
> As an important side issue to your actual question, please make sure that
> you upgrade it ASAP. You may (or may not) have read about the DNS exploits
> that are being talked about right now, but essentially it allows attackers
> to poison one's DNS cache so that names map to the wrong IP addresses.
> (Can you say bank website spoofing?)
[snip]

Aye:

bind9 (1:9.3.4-2etch3) stable-security; urgency=high

  * Randomize UDP query source ports to improve forgery resilience.
    (CVE-2008-1447)
 -- LaMont Jones <lamont at debian dot org>  Sun, 06 Jul 2008 19:19:53 -0600

Debian's pretty good with security patches, and I've got automatic
notification enabled. Thanks for the reminder!

-- 
Tony van der Hoff       | mailto:news_0711@vanderhoff.org
Buckinghamshire, England

Tony van der Hoff  wrote:
>> It looks to me as if your DHCP server is trying to send dynamic updates
>> and your nameserver is rejecting these updates because it is not
>> configured to accept them.  You do have to configure bind explicitly to
>> allow this.  The bind documentation does cover it but here's a friendly
>> article on the subject:
>>
>> mages/online/training/computer-trainin.html
>>
>
> Thanks for that, Bruce; I figured it would be something like that. The BIND
> documentation hurts my head.
>
> Could you perhaps review that link? I tried .../computer-training.htm, but
> no joy.

Whoops, sorry, pasting error.

http://www.debianadmin.com/howto-setup-dhcp-server-and-dynamic-dns-with-bind-in-debian.html


-- 
Bruce

Hierophant: someone who remembers, when you are on the way down,
everything you did to them on the way up.

On 29 Jul at 21:03 Bruce Richardson  wrote in message
<slrng8ustu.7bu.itsbruce@store.bruce>

> Tony van der Hoff  wrote:
> > > It looks to me as if your DHCP server is trying to send dynamic
> > > updates and your nameserver is rejecting these updates because it is
> > > not configured to accept them.  You do have to configure bind
> > > explicitly to allow this.  The bind documentation does cover it but
> > > here's a friendly article on the subject:
>>>
> > > mages/online/training/computer-trainin.html
>>>
>>
> > Thanks for that, Bruce; I figured it would be something like that. The
> > BIND documentation hurts my head.
>>
> > Could you perhaps review that link? I tried .../computer-training.htm,
> > but no joy.
>
> Whoops, sorry, pasting error.
>
>
http://www.debianadmin.com/howto-setup-dhcp-server-and-dynamic-dns-with-bind-in-debian.html
>
>

Well, thanks for that, Bruce. That hurts almost as much as the BIND
documentation itself; I guess I'll just put up with the error messages, I'm
evidently not up to the job... :(

Cheers, Tony
-- 
Tony van der Hoff       | mailto:news_0711@vanderhoff.org
Buckinghamshire, England

Tony van der Hoff  wrote:
>
> Well, thanks for that, Bruce. That hurts almost as much as the BIND
> documentation itself; I guess I'll just put up with the error messages, I'm
> evidently not up to the job... :(

There is an alternative, which might well work on your home network if
the various devices are recent enough: Zeroconf.

http://en.wikipedia.org/wiki/Zeroconf

Linux, Windows and OS X all support it (under different names); if the
various devices or hosts you have on your home lan also support it then
you don't need a local dhcp server or possibly even local dns zone
files, just the cacheing service.  Zeroconf-enabled devices can find
addresses for themselves without clashing and discover the names and 
addresses of other zeroconf-capable hosts on the network.

Since you are averse to complex service configuration, you should
investigate this (on Linux, the zeroconf toolset is called Avahi) and
see if it would make life easier for you.

-- 
Bruce

Those who cast the votes decide nothing.  Those who count the
votes decide everything. -- Joseph Stalin