Configuring a Name Server to Forward Dynamic Updates

3.12.1 Problem

You want a BIND 9 slave name server to forward any dynamic updates it receives from addresses on the local networks for a zone to its master name server.

3.12.2 Solution

Use the allow-update-forwarding zone substatement. For example:

zone "foo.example" {
 type slave;
 masters {; };
 file "";
 allow-update-forwarding { localnets; };

The slave name server forwards any dynamic updates it receives to the foo.example zone to its master name server, at

3.12.3 Discussion

For the most part, if you make sure that your zone's SOA record contains the domain name of the primary master name server in the MNAME field, you won't need to worry about update forwarding. Most updaters will automatically find your primary master and send their updates there. But if you use a hidden primary master or have ill-behaved clients, you may need this.

Forwarding updates, however, makes IP address-based authorization using allow-update even more dangerous than usual, because forwarded updates have the slave name server's source address. If you use update forwarding, you should use TSIG-signed dynamic updates, too. It doesn't matter if a slave forwards a signed update: it still bears the signature.

3.12.4 See Also

Section 3.11 for permitting dynamic updates; Recipes Section 5.20, Section 5.21, and Section 5.23 for sending dynamic updates -- particularly TSIG-signed updates -- using nsupdate; Recipes Section 9.10 and Section 9.11 for sending updates programmatically; and "TSIG-Signed Updates" in Chapter 10 of DNS and BIND.

Getting Started

Zone Data

BIND Name Server Configuration

Electronic Mail

BIND Name Server Operations

Delegation and Registration


Interoperability and Upgrading

Resolvers and Programming

Logging and Troubleshooting


DNS & BIND Cookbook
DNS & BIND Cookbook
ISBN: 0596004109
EAN: 2147483647
Year: 2005
Pages: 220
Authors: Cricket Liu © 2008-2020.
If you may any questions please contact us: