Migrate from static RRs to dynamic updates

Hello,

today I was triyng to answer a question that stated that in a DNS server, previous static RRs was not being updated, while passing from static RRs to dynamic updates.

As solution he says that was possible by aging all records with a dnscmd command.
Trying, this is not true.
Previous static RRs, even when aged, do not update themselves, I think because the server recognizes the dynamic updates as not come from the original "maker".

There's a way to convert static RRs into dynamic, using some command if You know?

Thank You much.

EDIT: I must point that was saying about an AD integrated zone and only secure updates allowed.

rj

Find more posts tagged with

SAVE $250 on Your Microsoft Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Microsoft Boot Camps

Comments

DragonNOA1

If a RR is aged then it should have been deleted. Aged records are ones that have an old timestamp, which means the computer hasn't refreshed it for a while. So if you age a record (delete it), then when you do a dynamic update it will reappear.

rjbarlow

DragonNOA1 wrote:

If a RR is aged then it should have been deleted. Aged records are ones that have an old timestamp, which means the computer hasn't refreshed it for a while. So if you age a record (delete it), then when you do a dynamic update it will reappear.

I can suppose this is what he intended, but no mention was for aging and scavenging pre-configured. In fact if those are not enabled, those RRs remain where they were.

royal

I have never tried this and my thoughts about this are only based on my logic. But the reason I think that static RRs are not updatable (by default) is because if you create them, then the user who created them (could be the computer account) owns that record. Similar to 9x clients not being able to do dynamic updates and needing the DHCP server to do it on their behalf. Because of that, you'd put the DHCP server in the DNSProxyUpdate (I think that's the name). This prevents the DNS record from setting an owner so if the 9x client ever upgrades to 2k or xp and then tries to update its' own record, it can do so since there's no owner for that record.

I think the issue here is similar. If you go to each static record and modify the owners so anyone can update it, I think switching to dynamic updates will start working and clients/servers that try to update will then be allowed to. Again, this is only what I am thinking and have never tested read about this, but it seems logical.