TSIG signed Updates

Stefan Puiu stefanpuiu at itcnetworks.ro
Thu Feb 3 12:52:17 UTC 2005


You want to have the computers in the "ddns" ACL to be able to update 
the slave, which should send those updates to the server using the TSIG 
key "tsig-key", right? I'm not sure that allow-update-forwarding covers 
anything else besides just forwarding the update packet without any 
change. Maybe somebody more knowledgeable can confirm this.

On the other hand, to properly test your setup you should tell nsupdate 
which server to update - the way you seem to have run it, it went 
directly to the master server (determined with the SOA query from its 
output), which rejected it because it wasn't signed. Specify the server 
and zone you want nsupdate to update for you using the "server" and 
"zone" commands to avoid this.

holger.honert at signal-iduna.de wrote:

>Hi out there,
>for more securing dynamic updates that are forwarded via my secondary 
>nameserver (172.17.111.30) using the allow-update-forwarding statement, 
>these updates (should) be signed with a TSIG-Key.
>Unfortunately this does not work in my configuration. Every time I make an 
>update I get an an REFUSE and the primary nameserver (172.27.100.12) says 
>update denied in the log-file.
>
>The key seems alright, because it is used for axfr with no problems.
>
>Here is the sec. DNS config.:
>
>key tsig-key {
>        algorithm hmac-md5;
>        secret "my-secret";
>};
>
>server 172.27.100.12 {
>        keys { tsig-key ; };
>};
>
>zone "nwf.local" in {
>        type slave;
>        file "secondary/db.nwf.local";
>        masters { 172.27.100.12;};
>        allow-update-forwarding { 127.0.0.1; ddns; };
>};
>
>the pri. config:
>
>key tsig-key {
>        algorithm hmac-md5;
>        secret "my secret";
>};
>
>server 172.17.111.30 {
>        keys {
>                tsig-key ;};
>        };
>
>zone "nwf.local" {
>        type master;
>        file "primary/db.nwf.local";
>        allow-query {
>                any;
>                };
>        allow-transfer {
>                key tsig-key;
>                };
>        update-policy {
>                grant dhcp-key-1 wildcard *.nwf.local. A TXT;
>                grant tsig-key wildcard *.nwf.local. ANY;
>                };
>        notify yes;
>        check-names ignore;
>        };
>
>
>The output from nsupdate:
>
>  
>
>>update add test1234.nwf.local. 1234 IN A 1.2.3.4
>>
>>    
>>
>Reply from SOA query:
>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:  34852
>;; flags: qr aa rd ra ; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 
>0
>;; QUESTION SECTION:
>;test1234.nwf.local.            IN      SOA
>
>;; AUTHORITY SECTION:
>nwf.local.              0       IN      SOA     ns.nwf.local. 
>dnsadmin.signal-iduna.net. 189 1800 1800 604800 38400
>
>
>Found zone name: nwf.local
>The master is: ns.nwf.local
>
>Reply from update query:
>;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:   8817
>;; flags: qr ra ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>
>  
>
>
>output named.log from the primary:
>
>03-Feb-2005 09:48:05.248 update-security: error: client 
>172.17.111.30#32905: update 'nwf.local/IN' denied
>
>Where am I wrong?
> 
>TIA!
>
>Kind Regards/Freundlichen Gruß
> 
>Holger Honert
> 
>KOMN-97851
> 
>SIGNAL IDUNA Gruppe
>Joseph-Scherer-Str. 3
> 
>44139 Dortmund
> 
>Phone: +49 231/135-4043
>FAX: +49 231/135-2959
> 
>mailto: holger.honert at signal-iduna.de
>
>
>
>
>  
>



More information about the bind-users mailing list