static zones vs dynamic zones on bind9 and also how to split dns

Dear Experts:

Configured ddns which having static zones and dynamic zones , for servers and workstations which is not movable has been assigned with the ip addresses manually from the static zone and for all the remaining laptop users which are of mobile users pointed to the dhcp by using the dynamic zones, i got to know converting the static zones to dynamic , would like know what are the advantages of doing this.

2. As of now ddns is working fine now also planning to install and configure zimbra mail server in the LAN which is behind the firewall i think the recommended practice is to configure the split dns ,  would like to know how to configure the spilt dns with my existing ddns.

Please help. Thanks in advance.
D_wathiAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PapertripCommented:
There are a few advantages to using dynamic zones vs. static, but the main one is using nsupdate to update zones as opposed to manually editing the zone file.  Manually editing zone files has been a problem for a long time... what if someone typo's the syntax and invalidates the entire zone, or to a lesser extent what if someone made a change but neglected to update the serial.  Things like that can cause major problems in a DNS infrastructure based on static zones.  I have to mention that even with a zone being dynamic, you can still edit it manually... but don't!  Use nsupdate instead, it's easy!

Using nsupdate can be very simple, or a bit more complex by adding some additional error prevention.

The quick way, which is how I do it on my personal server since I am not using views (split dns) and I know how to use nsupdate properly ;)
[root@broken ~]# nsupdate -l
> update add example.domain.com 300 in a 1.2.3.4
> show
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags: ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
example.domain.com.     300    IN       A       1.2.3.4

> send
> quit
[code][root@broken ~]# dig example.domain.com +short
1.2.3.4

Open in new window

* I only issued the "show" command to nsupdate for the sake of explaining this -- it is not a required step.
Using nsupdate at work, we add a couple extra layers of "security"
server 10.190.75.26
local 127.0.0.1
key hmac-sha512:dynamic-key IKy3AmRjgURGYAFvQosnURr9uh6GRv+LjVtepNepBnkZLVh+A+EJwtQpFRbo2I4Ub2w==
zone test-paypal.com
update add example.domain.com 300 IN A 1.2.3.4
send

Open in new window

How much complexity / "security" you want to use will depend on the needs of you and the infrastructure.  I put the word security in quotes because it's not really making it anymore secure, but rather is making sure that certain parts of your syntax are assigned properly so that you don't break the entire zone.  For example the zone statement says that all updates must be applied to that zone, key statement says to use a specific TSIG key for authentication (this pertains to views).

On a side note, if you DNSSEC sign your zones (which I also recommend), if setup properly then using nsupdate will trigger an automatic re-signing of the zone, as opposed to having to issue another dnssec-signzone command.  If you are curious about DNSSEC, that should be asked in a separate question.

As far as split DNS (called "views" in BIND) is concerned, check out the following links.  I listed them in order that I think you should read, but you read them in any order you feel comfortable with.  In most Linux distributions, there will already be commented out sections of named.conf to support view, you just need to uncomment them and configure them properly for your environment.

http://www.zytrax.com/books/dns/ch7/view.html
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch18_:_Configuring_DNS#Configuring_BIND_Views_in_named.conf
http://www.cyberciti.biz/faq/linux-unix-bind9-named-configure-views/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
D_wathiAuthor Commented:
Thanks you very much for the detailed information, when extecuted the below command
indar@lampsrv:/var/log$ sudo nsupdate
> update delete linwin.shriramdb.com A
> update add linuxwind.shriramdb.com 86400 A 192.168.1.248
> send
update failed: REFUSED
>

Sir, please give help me how to add the A and PTR records also delete using the nsupdate iam getting the message REFUSED.
0
PapertripCommented:
Need to add -l to nsupdate and set update-policy to local for the zone.
nsupdate can be run in a local-host only mode using the -l flag. This sets the server address to localhost
       (disabling the server so that the server address cannot be overridden). Connections to the local server will use a
       TSIG key found in /var/run/named/session.key, which is automatically generated by named if any local master zone
       has set update-policy to local. The location of this key file can be overridden with the -k option.

If you are chrooted then you will need to create the following symlink
/var/run/named/session.key -> /var/named/chroot/var/run/named/session.key

Open in new window

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.