TSIG signed Updates
Stefan Puiu
stefanpuiu at itcnetworks.ro
Thu Feb 3 12:52:17 UTC 2005
You want to have the computers in the "ddns" ACL to be able to update
the slave, which should send those updates to the server using the TSIG
key "tsig-key", right? I'm not sure that allow-update-forwarding covers
anything else besides just forwarding the update packet without any
change. Maybe somebody more knowledgeable can confirm this.
On the other hand, to properly test your setup you should tell nsupdate
which server to update - the way you seem to have run it, it went
directly to the master server (determined with the SOA query from its
output), which rejected it because it wasn't signed. Specify the server
and zone you want nsupdate to update for you using the "server" and
"zone" commands to avoid this.
holger.honert at signal-iduna.de wrote:
>Hi out there,
>for more securing dynamic updates that are forwarded via my secondary
>nameserver (172.17.111.30) using the allow-update-forwarding statement,
>these updates (should) be signed with a TSIG-Key.
>Unfortunately this does not work in my configuration. Every time I make an
>update I get an an REFUSE and the primary nameserver (172.27.100.12) says
>update denied in the log-file.
>
>The key seems alright, because it is used for axfr with no problems.
>
>Here is the sec. DNS config.:
>
>key tsig-key {
> algorithm hmac-md5;
> secret "my-secret";
>};
>
>server 172.27.100.12 {
> keys { tsig-key ; };
>};
>
>zone "nwf.local" in {
> type slave;
> file "secondary/db.nwf.local";
> masters { 172.27.100.12;};
> allow-update-forwarding { 127.0.0.1; ddns; };
>};
>
>the pri. config:
>
>key tsig-key {
> algorithm hmac-md5;
> secret "my secret";
>};
>
>server 172.17.111.30 {
> keys {
> tsig-key ;};
> };
>
>zone "nwf.local" {
> type master;
> file "primary/db.nwf.local";
> allow-query {
> any;
> };
> allow-transfer {
> key tsig-key;
> };
> update-policy {
> grant dhcp-key-1 wildcard *.nwf.local. A TXT;
> grant tsig-key wildcard *.nwf.local. ANY;
> };
> notify yes;
> check-names ignore;
> };
>
>
>The output from nsupdate:
>
>
>
>>update add test1234.nwf.local. 1234 IN A 1.2.3.4
>>
>>
>>
>Reply from SOA query:
>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34852
>;; flags: qr aa rd ra ; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL:
>0
>;; QUESTION SECTION:
>;test1234.nwf.local. IN SOA
>
>;; AUTHORITY SECTION:
>nwf.local. 0 IN SOA ns.nwf.local.
>dnsadmin.signal-iduna.net. 189 1800 1800 604800 38400
>
>
>Found zone name: nwf.local
>The master is: ns.nwf.local
>
>Reply from update query:
>;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 8817
>;; flags: qr ra ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>
>
>
>
>output named.log from the primary:
>
>03-Feb-2005 09:48:05.248 update-security: error: client
>172.17.111.30#32905: update 'nwf.local/IN' denied
>
>Where am I wrong?
>
>TIA!
>
>Kind Regards/Freundlichen Gruß
>
>Holger Honert
>
>KOMN-97851
>
>SIGNAL IDUNA Gruppe
>Joseph-Scherer-Str. 3
>
>44139 Dortmund
>
>Phone: +49 231/135-4043
>FAX: +49 231/135-2959
>
>mailto: holger.honert at signal-iduna.de
>
>
>
>
>
>
More information about the bind-users
mailing list