Dynamic Update Policy.....
    Mark Andrews 
    marka at isc.org
       
    Sun Mar 31 04:50:34 UTC 2013
    
    
  
In message <8741727B99C1AE4488FA3A4CD77D7B6E06A6CAA2 at MX-DS0-HQ.minervanetworks.
com>, Gary Greene writes:
> I'm trying to get bind to use ddns updates for our environment, however 
> I'm getting errors in the logs on the system that the host is being 
> denied from making the changes.
> 
> Currently, I'm only allowing certain hosts to update their records, as a 
> test.
> 
> The stanza for update-policy follows:
> 
>     zone "minervanetworks.com" {
>         type master;
>         notify yes;
>         update-policy {
>             grant ggreene-imac$@MINERVANETWORKS.COM ms-self * A;
>             grant cvallejo-w7-lt$@MINERVANETWORKS.COM ms-self * A;
>             grant cvallejo-test-w7-lt$@MINERVANETWORKS.COM ms-self * A;
>         };
>         file "/etc/named.d/minervanetworks.zone";
>         check-names ignore;
>     };
> 
> The error I see in the logs:
> Mar 28 15:57:29 ns1 named[11482]: client 10.5.1.11#52418: view internal: 
> update 'minervanetworks.com/IN' denied
> 
> The reverse zones work, as they are setup to allow dhcpd to make the 
> changes (and they work correctly), however the forward zone does not.
> 
> Any insight would be great. Thanks.
> 
> --
> Gary L. Greene, Jr.
> Sr. Systems Administrator
> IT Operations
> Minerva Networks, Inc.
> Cell: (650) 704-6633
My bet is that it is that the machines are trying to add AAAA records.
Allow both AAAA and A records and they updates should succeed.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
    
    
More information about the bind-users
mailing list