Debugging TSIG signed nsupdate problems - Specifically a logging question
Erik Edwards
erik at emedwards.info
Wed May 29 02:14:05 UTC 2024
In the dnssec.log file I only found references to normal key rotation.
Adding the section for update_security and running at trace 99 didn't
provide _any_ update_security log output, nor did it provide any extra
output to the update log.
even when running in single combined log format I couldn't find any
messages beyond "REFUSED"
It looks like the logging in the update section requires some directive
I have been unable to figure out.
I did find the issue with the updates, it was a typo in the object that
was allowed to be updated.
Not the A nor the AAA part, but the named object in the had a typo in
the domain portion.
my entries in the update-policy section are in the form: grant <key>
<type> <object>.<domain>.<tld>. <allowed resource(s)>;
No clue why It appeared to be working before.
Would be really nice to have some kind of log message, perhaps like
"named object not listed in policy for <key>".
-Erik
On 5/28/24 12:48 AM, Crist Clark wrote:
> Have you looked in the "dnssec" logs? That may contain info about TSIG
> processing.
>
> Also, I didn't see the "update-security" category in your shared
> configuration.
>
> Not sure those have what you are looking for. You did look at the
> descriptions of all of the categories?
>
> https://bind9.readthedocs.io/en/stable/reference.html#namedconf-statement-category
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240528/b2405d6b/attachment-0001.sig>
More information about the bind-users
mailing list