<div dir="ltr"><div dir="ltr"><br></div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, May 13, 2020 at 3:20 AM Pete Fry <<a href="mailto:cadel2010@googlemail.com">cadel2010@googlemail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Bob<div>thanks for the reply and the correction ( the acl dones't have a ! it was a cut and paste error when i was trying to remove some information.</div><div><br></div><div>the TSIG works when from other linux machine via nsupdate etc, however i'm trying to figure out how to get the windows machines to do the same and was trying to follow this</div><div><br></div><div><code><span>http</span>://<span>serverfault</span>.<span>com</span>/<span>questions</span>/<span>376578</span>/<span>bind9</span>-<span>combining</span>-<span>key</span>-<span>and</span>-<span>acl</span>-<span>for</span>-<span>allow</span>-<span>update</span></code> </div><div><br></div><div>Regards</div><div><br></div><div>Pete </div></div></blockquote><div><br></div><div><br></div><div>Your ACL looks right. I think Ben has the key - Windows uses GSS-TSIG, not regular TSIG. Not sure how or if that can be solved.</div><div><br></div><div>-- </div><div>Bob Harold</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 12 May 2020 at 13:40, Bob Harold <<a href="mailto:rharolde@umich.edu" target="_blank">rharolde@umich.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><br></div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, May 12, 2020 at 5:57 AM Pete Fry via bind-users <<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">All<div><br></div><div>I've inherited a BIND environment and i'm trying to understand a few things as currently we are experiences an issue related to DDNS.</div><div><br></div><div>we have </div><div><br></div><div>site 1</div><div><div style="box-sizing:border-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14px">hostA</div><div style="box-sizing:border-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14px"><br></div><div style="box-sizing:border-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14px">site 2</div><div style="box-sizing:border-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14px">hostB</div><div style="box-sizing:border-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14px"><br></div><div style="box-sizing:border-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14px">We have a HArecord, and we want HostA or HostB to be able to update the HArecord (i.e. failover cluster type configuration)</div></div><div style="box-sizing:border-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14px"><br></div><div style="box-sizing:border-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14px">config:</div><div style="box-sizing:border-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14px">Zone file:</div><div style="box-sizing:border-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14px"><br></div><div style="box-sizing:border-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14px">zone "TEST" {<br> check-names ignore;<br> type master;<br> file "/var/named/dynamic/TEST";<br> allow-update {<br> auth-dns;<br> dynamic-TEST;<br> };<br>};<br></div><div style="box-sizing:border-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14px"><br></div><div style="box-sizing:border-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14px">lists.conf</div><div style="box-sizing:border-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14px"><br></div><div style="box-sizing:border-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14px">acl dynamic-update-ads { <br> 192.168.2.1 // hostA<br> 192.168.5.1 // hostB <br> dynamic-TEST-tsig; <br>};<br></div><div style="box-sizing:border-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14px"><br></div><div style="box-sizing:border-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14px">acl dynamic-TEST-tsig {<br> // any host which is not..<br> !{<br> // not in the new acls<br> !dynamic-test-site1;<br> !dynamic-test-site2;<br> any;<br> };<br> // but has the key<br> key TEST-key;<br>};<br></div></div></blockquote><div><br></div><div>For testing purposes, start with a simpler acl, like:<br></div><div><br></div><div>acl dynamic-TEST-tsig {<br></div><div> key TEST-key;<br>};<br></div><div><br></div><div>And see if that works.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div style="box-sizing:border-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14px"><br>acl !dynamic-test-site1 {<br> <a href="http://192.168.2.1/32" target="_blank">192.168.2.1/32</a>; // HostA<br>};<br><br>acl !dynamic-test-site2 {<br> <a href="http://192.168.5.1/32" target="_blank">192.168.5.1/32</a>; // HostB<br>};<br></div><div style="box-sizing:border-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14px"><pre lang="conf"><span id="gmail-m_1799513623007707470gmail-m_-4701656668234550113gmail-m_2062855817749687786gmail-LC155" lang="conf"></span></pre></div></div></blockquote><div><br></div><div>"acl !" seems wrong to me. Is that a legal syntax? And if so, what does it mean?</div><div><br></div><div>-- </div><div>Bob Harold</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div style="box-sizing:border-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14px"><pre lang="conf"></pre><pre lang="conf">however these windows machines keep saying bad key, I know i'm missing something obvious but how do i get this to work?</pre><pre lang="conf">happy to be able to give the key to the windows boxes if anyone knows but i'm drawing a blank</pre><pre lang="conf">Regards</pre><pre lang="conf">Cade</pre></div></div></blockquote><div> </div></div></div>
</blockquote></div>
</blockquote></div></div>