<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">Include the update keys in the view selection. <br><br><div dir="ltr">-- <div>Mark Andrews</div></div><div dir="ltr"><br><blockquote type="cite">On 14 Jul 2020, at 23:06, Per Weisteen <perw@compute-it.no> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
Hi<br>
<br>
I've a BIND setup with my ISP with two views, one external and one
internal. At the same time I also need to be able to do a dynamic
update from some addresses within the internal range. This worked ok
before I had to define my two views. <br>
<br>
I'd be very grateful if someone could suggest what I'm doing wrong.
My ISP is running BIND 9.11.4.<br>
<br>
Due to the ISPs need to have control over the BIND setup I'm just
allowed to add my config via include files.<br>
<br>
<br>
<p class="MsoNormal"><span lang="EN-US">Zones.mydomains.config file
contains:<br>
</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> </span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US">include "keys/mydomains-keys.conf";</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US">include "keys/zone1-keys.conf";</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US">include "keys/zone2-keys.conf";</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> </span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US">acl external { 10.222.33.0/18; 10.222.44.0/18; };</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US">acl internal { 10.11.0.0/16; 10.12.0.0/16; };</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> </span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US">//////</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US">// zone1 and zone2 keys used to ensure correct zone
transfer from slave</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US">//////</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> </span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US">view "external-sites" {</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> match-clients { !key zone2.key; key zone1.key;
external; };</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> </span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US">
</span><span style="font-size:11.0pt;font-family:"Courier
New"">zone "aa.example.net" {</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"">
type master;</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> file "zones.master/aa-view1.example.net";</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> notify explicit;</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> also-notify { 10.12.143.56 key zone1.key;
};</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> update-policy {</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> grant "ext-update.key." name
web.aa.example.net. CNAME;</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> };</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> };</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> </span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> include "zones.common.config.view1";</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> </span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US">}; // End view "external-sites"</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> </span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US">view "internal-sites" {</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> match-clients { !key zone1.key; key zone2.key;
internal; localhost; };</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> </span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> zone "aa.example.net" {</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> type master;</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> file "zones.master/aa-view2.example.net";</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> notify explicit;</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> also-notify { 10.12.143.56 key zone2.key;
};</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> update-policy {</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> grant "int-update.key." name
web.aa.example.net. CNAME;</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> };</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> };</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> </span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> include "zones.common.config.view2";</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> </span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US">}; // End view "grus-zone2"</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> </span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> </span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> </span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US">view "default" {</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> match-clients { any; };
</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> </span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> include "zones.common.config.view2";</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"" lang="EN-US"> </span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New"">};
// End view "default"</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal">mydomains-keys.conf file contains :</p>
<p class="MsoNormal"> </p>
<p style="margin:0cm;margin-bottom:.0001pt"><font size="-2" face="Courier New"><span style="font-size: 11pt;" lang="EN-US">key
ext-update.key. {</span></font></p>
<font size="-2" face="Courier New">
</font>
<p style="margin:0cm;margin-bottom:.0001pt"><font size="-2" face="Courier New"><span style="font-size: 11pt;" lang="EN-US">
algorithm HMAC-SHA512;</span></font></p>
<font size="-2" face="Courier New">
</font>
<p style="margin:0cm;margin-bottom:.0001pt"><font size="-2" face="Courier New"><span style="font-size: 11pt;" lang="EN-US">
secret "secret2";</span></font></p>
<font size="-2" face="Courier New">
</font>
<p style="margin:0cm;margin-bottom:.0001pt"><font size="-2" face="Courier New"><span style="font-size: 11pt;" lang="EN-US">};</span></font></p>
<font size="-2" face="Courier New">
</font>
<p style="margin:0cm;margin-bottom:.0001pt"><font size="-2" face="Courier New"><span style="font-size: 11pt;" lang="EN-US"> </span></font></p>
<font size="-2" face="Courier New">
</font>
<p style="margin:0cm;margin-bottom:.0001pt"><font size="-2" face="Courier New"><span style="font-size: 11pt;" lang="EN-US">key
int-update.key. {</span></font></p>
<font size="-2" face="Courier New">
</font>
<p style="margin:0cm;margin-bottom:.0001pt"><font size="-2" face="Courier New"><span style="font-size: 11pt;" lang="EN-US">
algorithm HMAC-SHA512;</span></font></p>
<font size="-2" face="Courier New">
</font>
<p style="margin:0cm;margin-bottom:.0001pt"><font size="-2" face="Courier New"><span style="font-size: 11pt;" lang="EN-US">
secret "secret3";</span></font></p>
<font size="-2" face="Courier New">
</font>
<p style="margin:0cm;margin-bottom:.0001pt"><font size="-2" face="Courier New"><span style="font-size: 11pt;" lang="EN-US">};</span></font></p>
<font size="-2">
</font>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">Error message in
/var/log/named/named.log is :<br>
</span></p>
<p class="MsoNormal"><br>
</p>
<p class="MsoNormal"><font face="Courier New"><span lang="EN-US">10-Jul-2020
13:27:14.695 update: info: client @0x7f0a200a9b30
10.124.15.148#64606/key arc-zone2.key: view grus-zone2:
updating zone 'pacs.telenor.net/IN': update failed: rejected
by secure update (REFUSED)</span></font></p>
<font face="Courier New">
</font>
<p class="MsoNormal"><font face="Courier New"><span lang="EN-US">10-Jul-2020
13:28:13.883 update: info: client @0x7f0a200a9b30
10.124.15.148#64606/key arc-zone2.key: view grus-zone2:
updating zone 'pacs.telenor.net/IN': update failed: rejected
by secure update (REFUSED)</span></font></p>
<font face="Courier New">
</font>
<p class="MsoNormal"><font face="Courier New"><span lang="EN-US"> </span></font></p>
<p class="MsoNormal"><span lang="EN-US"></span></p>
<p class="MsoNormal"><span lang="EN-US"><br>
</span></p>
<pre class="moz-signature" cols="72">--
Best regards,
Per Weisteen
</pre>
<span>_______________________________________________</span><br><span>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list</span><br><span></span><br><span>ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.</span><br><span></span><br><span></span><br><span>bind-users mailing list</span><br><span>bind-users@lists.isc.org</span><br><span>https://lists.isc.org/mailman/listinfo/bind-users</span><br></div></blockquote></body></html>