static zones vs dynamic zones on bind9 and also how to split dns

Posted on 2011-10-02
Last Modified: 2012-05-12
Dear Experts:

Configured ddns which having static zones and dynamic zones , for servers and workstations which is not movable has been assigned with the ip addresses manually from the static zone and for all the remaining laptop users which are of mobile users pointed to the dhcp by using the dynamic zones, i got to know converting the static zones to dynamic , would like know what are the advantages of doing this.

2. As of now ddns is working fine now also planning to install and configure zimbra mail server in the LAN which is behind the firewall i think the recommended practice is to configure the split dns ,  would like to know how to configure the spilt dns with my existing ddns.

Please help. Thanks in advance.
Question by:D_wathi
    LVL 21

    Accepted Solution

    There are a few advantages to using dynamic zones vs. static, but the main one is using nsupdate to update zones as opposed to manually editing the zone file.  Manually editing zone files has been a problem for a long time... what if someone typo's the syntax and invalidates the entire zone, or to a lesser extent what if someone made a change but neglected to update the serial.  Things like that can cause major problems in a DNS infrastructure based on static zones.  I have to mention that even with a zone being dynamic, you can still edit it manually... but don't!  Use nsupdate instead, it's easy!

    Using nsupdate can be very simple, or a bit more complex by adding some additional error prevention.

    The quick way, which is how I do it on my personal server since I am not using views (split dns) and I know how to use nsupdate properly ;)
    [root@broken ~]# nsupdate -l
    > update add 300 in a
    > show
    Outgoing update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
    ;; flags: ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
    ;; UPDATE SECTION:     300    IN       A
    > send
    > quit
    [code][root@broken ~]# dig +short

    Open in new window

    * I only issued the "show" command to nsupdate for the sake of explaining this -- it is not a required step.
    Using nsupdate at work, we add a couple extra layers of "security"
    key hmac-sha512:dynamic-key IKy3AmRjgURGYAFvQosnURr9uh6GRv+LjVtepNepBnkZLVh+A+EJwtQpFRbo2I4Ub2w==
    update add 300 IN A

    Open in new window

    How much complexity / "security" you want to use will depend on the needs of you and the infrastructure.  I put the word security in quotes because it's not really making it anymore secure, but rather is making sure that certain parts of your syntax are assigned properly so that you don't break the entire zone.  For example the zone statement says that all updates must be applied to that zone, key statement says to use a specific TSIG key for authentication (this pertains to views).

    On a side note, if you DNSSEC sign your zones (which I also recommend), if setup properly then using nsupdate will trigger an automatic re-signing of the zone, as opposed to having to issue another dnssec-signzone command.  If you are curious about DNSSEC, that should be asked in a separate question.

    As far as split DNS (called "views" in BIND) is concerned, check out the following links.  I listed them in order that I think you should read, but you read them in any order you feel comfortable with.  In most Linux distributions, there will already be commented out sections of named.conf to support view, you just need to uncomment them and configure them properly for your environment.

    Author Comment

    Thanks you very much for the detailed information, when extecuted the below command
    indar@lampsrv:/var/log$ sudo nsupdate
    > update delete A
    > update add 86400 A
    > send
    update failed: REFUSED

    Sir, please give help me how to add the A and PTR records also delete using the nsupdate iam getting the message REFUSED.
    LVL 21

    Expert Comment

    Need to add -l to nsupdate and set update-policy to local for the zone.
    nsupdate can be run in a local-host only mode using the -l flag. This sets the server address to localhost
           (disabling the server so that the server address cannot be overridden). Connections to the local server will use a
           TSIG key found in /var/run/named/session.key, which is automatically generated by named if any local master zone
           has set update-policy to local. The location of this key file can be overridden with the -k option.

    If you are chrooted then you will need to create the following symlink
    /var/run/named/session.key -> /var/named/chroot/var/run/named/session.key

    Open in new window


    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Suggested Solutions

    I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now