Nsupdate -l not using session.key
Kalman Feher
kalman.feher at melbourneit.com.au
Thu Jul 1 12:16:40 UTC 2010
I was obviously especially tired yesterday when I tested this.
Anyway BIND was chroot'd and user wasn't.
(slaps forehead)
Problem solved.
On 30/06/10 6:07 PM, "Kal Feher" <kalman.feher at melbourneit.com.au> wrote:
>
>
>
> On 30/06/10 5:25 PM, "Alan Clegg" <aclegg at isc.org> wrote:
>
>> On 6/30/2010 11:13 AM, Kalman Feher wrote:
>>> While testing bind 9.7.1 features including automated signing and
>>> update-policy local. I encountered some strange behaviour using nsupdate -l.
>>>
>>> When using nsupdate -l I was not able to update the zone in question and the
>>> following error was generated:
>>> update-security: error: client 127.0.0.1#9292: view internal: update
>>> 'star/IN' denied
>>
>>> Any suggestions?
>>
>> Send your named.conf
> Named.conf:
>
> acl "xfer" {
>
> "none";
> };
> acl "trusted" {
> 127.0.0.0/8;
> ::1/128;
> 10.115.160.0/22;
> };
> options {
> directory "/var/bind";
> pid-file "/var/run/named/named.pid";
> bindkeys-file "/etc/bind/bind.keys";
> listen-on-v6 { none; };
> listen-on port 53 { any; };
> allow-query {
> trusted;
> };
> allow-query-cache {
> trusted;
> };
> allow-transfer {
> xfer;
> };
> dnssec-enable yes;
>
> };
> logging {
> channel default_log {
> file "/var/log/named/named.log" versions 5 size 50M;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel query_log {
> file "/var/log/named/query.log" versions 5 size 100M;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel dnssec_log {
> file "/var/log/named/dnssec.log" versions 5 size 100M;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel resolver_log {
> file "/var/log/named/resolver.log" versions 5 size 50M;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> category default { default_log; };
> category general { default_log; default_syslog; };
> category queries { query_log; };
> category dnssec { dnssec_log; };
> category resolver { resolver_log; };
> };
> include "/etc/bind/rndc.key";
> controls {
> inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys {
> "rndc-key"; };
> };
> view "internal" in {
> match-clients { trusted; };
> recursion yes;
> additional-from-auth yes;
> additional-from-cache yes;
>
> zone "." in {
> type hint;
> file "/var/bind/root.cache";
> };
> zone "localhost" IN {
> type master;
> file "pri/localhost.zone";
> allow-update { none; };
> notify no;
> allow-query { any; };
> allow-transfer { none; };
> };
>
> zone "127.in-addr.arpa" IN {
> type master;
> file "pri/127.zone";
> allow-update { none; };
> notify no;
> allow-query { any; };
> allow-transfer { none; };
> };
>
> zone "star" IN {
> type master;
> auto-dnssec maintain;
> update-policy local;
> dnssec-secure-to-insecure no;
> file "pri/star/star.zone.signed";
> key-directory "pri/star";
> notify no;
> allow-query { any; };
> allow-transfer { none; };
> };
> zone "COM" { type delegation-only; };
> zone "NET" { type delegation-only; };
> };
>
> view "public" in {
>
> match-clients { any; };
> recursion no;
> additional-from-auth no;
> additional-from-cache no;
>
> zone "." in {
> type hint;
> file "/var/bind/root.cache";
> };
>
> };
> view "chaos" chaos {
> match-clients { any; };
> allow-query { none; };
> zone "." {
> type hint;
> file "/dev/null"; };
> };
>
>>
>> AlanC
>>
>> _______________________________________________
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
--
Kal Feher
More information about the bind-users
mailing list