Wednesday, October 01, 2008

bind retransfer zone

When operating a large number of BIND servers to enable DNS support on your internal and/or external domain you sometimes do not want to wait until the zones are refreshed automatically. The basic way BIND and DNS works is that you control domain names at your master server, all you slave servers are looking at the master and request on a regular basis the version number from a zone. When the version number of the zone on the master is different from the version number of the slave it will request a zone file transfer. When the slave is allowed to do a zone file transfer the new zone file is send to the slave and the slave will be aware of the changes.

However, in some cases you do not have the time to wait until the slaves pickup the new zone settings. In those cases you have to force bind to do a 'retransfer'. By issuing a retransfer bind will retransfer a single zone without checking serial number and start using it immediately. You can can issue a retransfer with rndc. rndc is the name server control utility.

rndc controls the operation of a name server. It supersedes the ndc utility that was provided in old BIND releases. If rndc is invokedwith no command line options or arguments, it prints a short summary of the supported commands and the available options and their arguments.

rndc communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. In the current versions of rndc and named named the only supported authentication algorithm is HMAC-MD5, which uses a shared secret on each end of the connection. This provides TSIG-style authentication for the command request and the name server's response. All commands sent over the channel must be signed by a key_id known to the server.

To let rndc force a retransfer for for example domain somedomain.com you execute the following command:

rndc -k /etc/bind/rndc.key retransfer somedomain.com

the -k /etc/bind/rndc.key part is used to tell rndc where you have stored the rndc key. This can vary per installation and is not always required. You could first try it without the key part. If it fails try to locate the key and use the -k option.

No comments: