Bind9 forward/reverse zones with multiple TSIG keys

Grant Taylor gtaylor at tnetconsulting.net
Tue Jan 29 16:26:45 UTC 2019


On 01/29/2019 01:19 AM, ObNox wrote:
> Hi,

Hi ObNox,

> For that to work, I need to make sure every separated component works as 
> expected when configured separately.

Ah, yes.  The joys / perils of testing discrete units individually and 
then start pugging them together like Legos and making sure that things 
still work.

> Now, the trouble really begins :
> 
> 1/ I update the zones files to uncomment the "test" record and update 
> the serial number
> 
> 2/ I update "named.conf" to uncomment the "allow-update" statement using 
> "key-dhcp"
> 
> 3/ "named-checkconf" does not complain so "rndc reload"!
> 
> Problem : The syslog messages don't show the lines indicating that the 
> zones have been reloaded, here's an extract :
> 
>> 
> I was expecting the usual messages after a zone change, like previously:
> 
>> 
> So now, with the new "allow-update" statement, the zones are not 
> reloaded and this is confirmed by "dig" :
> 
>> 
> The new record "test.domain.tld" is not found and the serial is not the 
> new one!

I'm wondering if you're being bitten by something that got me years ago 
when I first started messing with dynamic zones that allowed updates.

In short, when dynamic updates are enabled, BIND will make changes to a 
journal file (which I think is binary).  You have to "freeze" and 
"flush" the zone to be able to make to text file.

So I'm guessing that your change wasn't detected because you 
transitioned to dynamic updates ~> journal file at the same time (or 
apparently) before BIND loaded the new zone.  Thus the journal ~> BIND 
was using the old version of the zone file.

I've found that I do most of my zone administration via nsupdate on the 
DNS server using the local key & socket.

I only go through the "freeze" & "flush", edit, and "thaw" (& "sign" for 
DNSSEC) cycle when I have more (complex) edits than I want to make via 
nsupdate.  (I've also wrapped nsupdate with rlwrap so that I have some 
(readline) history and better nsupdate command line editing.)

> I've tested dozens of combinations with both "allow-transfer" and 
> "allow-update" by putting them at the "view" level, "options" level, 
> "global" level, etc. and nothing changed.

If BIND did do what I'm thinking, then your edits were functionally 
lost.  (Technically they may still be in the text file.)

> So for now I'm lost and I need an expert's PoV to point what I'm doing 
> wrong and/or what I missed!

I'm far from an expert.  But hopefully you can benefit from my toe 
stubbing / razor cuts.

> Thank you for any useful clue.

Good luck.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190129/228fc915/attachment-0001.bin>


More information about the bind-users mailing list