BIND rejecting key to update a zone

Mark E. Jeftovic markjr at easydns.com
Sat Jun 2 16:35:45 UTC 2018


I'm sure this is something obvious I'm overlooking while I futz around
with setting up an RPZ (9.10.3-P4-Debian)

BIND config has:

key "dns-update" {
        algorithm HMAC-SHA512;
        secret "KEYREDACTED==";
};

and

zone "test.rpz." {
        type master;
        allow-transfer { key "dns-tsig"; };
        allow-update { key "dns-update"; };
        file "/etc/bind/zones/db.test.rpz";
};

Generated my key with:

dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST -r /dev/urandom dns-update

Also, transfers work fine from another host using the dns-tsig key.

But updates are not working:

Whether I invoke nsupdate with:

nsupdate -y hmac-sha512:dns-update:KEYREDACTED==
or

nsupdate -k ./Kdns-update.+165+33140.private

Once I'm into nsupdate:

> server 127.0.0.1
> add some.test.rpz 60 a 1.1.1.1
> send
update failed: REFUSED
>                                   

and in the logs:

Jun  1 20:19:34 rpz0 named[30999]: client 127.0.0.1#64585/key
dns-update: signer "dns-update" denied
Jun  1 20:19:34 rpz0 named[30999]: client 127.0.0.1#64585/key
dns-update: update 'test.rpz/IN' denied

What am I missing here?  

Thx

- mark

-- 
Mark E. Jeftovic <markjr at easydns.com>
Co-founder & CEO, easyDNS Technologies Inc.
+1-(416)-535-8672 x 225



More information about the bind-users mailing list