BIND rejecting key to update a zone
Mark E. Jeftovic
markjr at easydns.com
Sat Jun 2 16:35:45 UTC 2018
I'm sure this is something obvious I'm overlooking while I futz around
with setting up an RPZ (9.10.3-P4-Debian)
BIND config has:
key "dns-update" {
algorithm HMAC-SHA512;
secret "KEYREDACTED==";
};
and
zone "test.rpz." {
type master;
allow-transfer { key "dns-tsig"; };
allow-update { key "dns-update"; };
file "/etc/bind/zones/db.test.rpz";
};
Generated my key with:
dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST -r /dev/urandom dns-update
Also, transfers work fine from another host using the dns-tsig key.
But updates are not working:
Whether I invoke nsupdate with:
nsupdate -y hmac-sha512:dns-update:KEYREDACTED==
or
nsupdate -k ./Kdns-update.+165+33140.private
Once I'm into nsupdate:
> server 127.0.0.1
> add some.test.rpz 60 a 1.1.1.1
> send
update failed: REFUSED
>
and in the logs:
Jun 1 20:19:34 rpz0 named[30999]: client 127.0.0.1#64585/key
dns-update: signer "dns-update" denied
Jun 1 20:19:34 rpz0 named[30999]: client 127.0.0.1#64585/key
dns-update: update 'test.rpz/IN' denied
What am I missing here?
Thx
- mark
--
Mark E. Jeftovic <markjr at easydns.com>
Co-founder & CEO, easyDNS Technologies Inc.
+1-(416)-535-8672 x 225
More information about the bind-users
mailing list