Dynamic update rejected within a view

Thu Jul 16 07:56:58 UTC 2020

On 14.07.2020 18:11, Zhiyong Cheng wrote:
> 在 2020年7月14日 +0800 PM9:06，Per Weisteen <perw at compute-it.no>，写道：
>> Hi
>>
>> I've a BIND setup with my ISP with two views, one external and one 
>> internal. At the same time I also need to be able to do a dynamic 
>> update from some addresses within the internal range. This worked ok 
>> before I had to define my two views.
>>
>> I'd be very grateful if someone could suggest what I'm doing wrong. 
>> My ISP is running BIND 9.11.4.
>>
>>  Due to the ISPs need to have control over the BIND setup I'm just 
>> allowed to add my config via include files.
>>
>>
>> Zones.mydomains.config file contains:
>>
>> include "keys/mydomains-keys.conf";
>>
>> include "keys/zone1-keys.conf";
>>
>> include "keys/zone2-keys.conf";
>>
>> acl external { 10.222.33.0/18; 10.222.44.0/18; };
>>
>> acl internal { 10.11.0.0/16; 10.12.0.0/16; };
>>
>> //////
>>
>> // zone1 and zone2 keys used to ensure correct zone transfer from slave
>>
>> //////
>>
>> view "external-sites" {
>>
>> match-clients { !key zone2.key; key zone1.key; external; };
>>
>> zone "aa.example.net" {
>>
>> type master;
>>
>> file "zones.master/aa-view1.example.net";
>>
>> notify explicit;
>>
>> also-notify { 10.12.143.56 key zone1.key; };
>>
>> update-policy {
>>
>> grant "ext-update.key." name web.aa.example.net. CNAME;
>>
>> };
>>
>> };
>>
>> include "zones.common.config.view1";
>>
>> }; // End view "external-sites"
>>
>> view "internal-sites" {
>>
>> match-clients { !key zone1.key; key zone2.key; internal; localhost; };
>>
>> zone "aa.example.net" {
>>
>> type master;
>>
>> file "zones.master/aa-view2.example.net";
>>
>> notify explicit;
>>
>> also-notify { 10.12.143.56 key zone2.key; };
>>
>> update-policy {
>>
>> grant "int-update.key." name web.aa.example.net. CNAME;
>>
>> };
>>
>> };
>>
>> include "zones.common.config.view2";
>>
>> }; // End view "grus-zone2"
>>
>> view "default" {
>>
>> match-clients { any; };
>>
>> include "zones.common.config.view2";
>>
>> }; // End view "default"
>>
>> mydomains-keys.conf file contains :
>>
>> key ext-update.key. {
>>
>> algorithm HMAC-SHA512;
>>
>> secret "secret2";
>>
>> };
>>
>> key int-update.key. {
>>
>> algorithm HMAC-SHA512;
>>
>> secret "secret3";
>>
>> };
>>
>> Error message in /var/log/named/named.log is :
>>
>>
>> 10-Jul-2020 13:27:14.695 update: info: client @0x7f0a200a9b30 
>> 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone 
>> 'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)
>>
>> 10-Jul-2020 13:28:13.883 update: info: client @0x7f0a200a9b30 
>> 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone 
>> 'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)
>>
>
> It seems that you have used a key named arc-zone2.key for updating but 
> only
> allow int-update.key for updating in configuration?
>
>> --
>> Best regards,
>> Per Weisteen
>>
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>>
>> ISC funds the development of this software with paid support 
>> subscriptions. Contact us at https://www.isc.org/contact/ for more 
>> information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
> Zhiyong Cheng

Hi

I've managed to paste wrong error messages. The correct was :

10-Jul-2020 13:21:24.571 update: info: client @0x7f09500f432c 
10.11.131.23#5175/key int-update.key: view internal-sites: updating zone 
'aa.example.net/IN': update failed: rejected by secure update (REFUSED)

10-Jul-2020 13:21:24.759 update: info: client @0x7f09500f432c 
10.11.131.23#5175/key int-update.key: view internal-sites: updating zone 
'aa.example.net/IN': update failed: rejected by secure update (REFUSED)

I'll try Mark's suggestion.

Per W.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200716/16916991/attachment-0001.htm>