BIND rejecting key to update a zone

Mark E. Jeftovic markjr at
Sat Jun 2 16:35:45 UTC 2018

I'm sure this is something obvious I'm overlooking while I futz around
with setting up an RPZ (9.10.3-P4-Debian)

BIND config has:

key "dns-update" {
        algorithm HMAC-SHA512;
        secret "KEYREDACTED==";


zone "test.rpz." {
        type master;
        allow-transfer { key "dns-tsig"; };
        allow-update { key "dns-update"; };
        file "/etc/bind/zones/db.test.rpz";

Generated my key with:

dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST -r /dev/urandom dns-update

Also, transfers work fine from another host using the dns-tsig key.

But updates are not working:

Whether I invoke nsupdate with:

nsupdate -y hmac-sha512:dns-update:KEYREDACTED==

nsupdate -k ./Kdns-update.+165+33140.private

Once I'm into nsupdate:

> server
> add some.test.rpz 60 a
> send
update failed: REFUSED

and in the logs:

Jun  1 20:19:34 rpz0 named[30999]: client
dns-update: signer "dns-update" denied
Jun  1 20:19:34 rpz0 named[30999]: client
dns-update: update 'test.rpz/IN' denied

What am I missing here?  


- mark

Mark E. Jeftovic <markjr at>
Co-founder & CEO, easyDNS Technologies Inc.
+1-(416)-535-8672 x 225

More information about the bind-users mailing list