<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    On 14.07.2020 18:11, Zhiyong Cheng wrote:<br>
    <blockquote type="cite"
      cite="mid:2324a085-c5c1-46d7-8831-f07453e15b35@Spark">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <title></title>
      <div name="messageReplySection">在 2020年7月14日 +0800 PM9:06,Per
        Weisteen <a class="moz-txt-link-rfc2396E" href="mailto:perw@compute-it.no"><perw@compute-it.no></a>,写道:<br>
        <blockquote type="cite" style="border-left-color:#1abc9c;
          margin:5px 5px; padding-left:10px; border-left-width:thin;
          border-left-style:solid;">Hi<br>
          <br>
          I've a BIND setup with my ISP with two views, one external and
          one internal. At the same time I also need to be able to do a
          dynamic update from some addresses within the internal range.
          This worked ok before I had to define my two views.<br>
          <br>
          I'd be very grateful if someone could suggest what I'm doing
          wrong. My ISP is running BIND 9.11.4.<br>
          <br>
           Due to the ISPs need to have control over the BIND setup I'm
          just allowed to add my config via include files.<br>
          <br>
           <br>
          <p class="MsoNormal"><span xml:lang="EN-US" lang="EN-US">Zones.mydomains.config
              file contains:<br>
            </span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US"></span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">include
              "keys/mydomains-keys.conf";</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">include
              "keys/zone1-keys.conf";</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">include
              "keys/zone2-keys.conf";</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US"></span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">acl external {
              10.222.33.0/18; 10.222.44.0/18; };</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">acl internal {
              10.11.0.0/16; 10.12.0.0/16; };</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US"></span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">//////</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">// zone1 and
              zone2 keys used to ensure correct zone transfer from slave</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">//////</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US"></span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">view
              "external-sites" {</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">match-clients {
              !key zone2.key; key zone1.key; external; };</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US"></span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US"></span> <span
              style="font-size:11.0pt;font-family:"Courier
              New"">zone "aa.example.net" {</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"">type master;</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">file
              "zones.master/aa-view1.example.net";</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">notify explicit;</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">also-notify {
              10.12.143.56 key zone1.key; };</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">update-policy {</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">grant
              "ext-update.key." name web.aa.example.net. CNAME;</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">};</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">};</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US"></span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">include
              "zones.common.config.view1";</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US"></span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">}; // End view
              "external-sites"</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US"></span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">view
              "internal-sites" {</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">match-clients {
              !key zone1.key; key zone2.key; internal; localhost; };</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US"></span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">zone
              "aa.example.net" {</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">type master;</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">file
              "zones.master/aa-view2.example.net";</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">notify explicit;</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">also-notify {
              10.12.143.56 key zone2.key; };</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">update-policy {</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">grant
              "int-update.key." name web.aa.example.net. CNAME;</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">};</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">};</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US"></span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">include
              "zones.common.config.view2";</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US"></span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">}; // End view
              "grus-zone2"</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US"></span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US"></span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US"></span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">view "default" {</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">match-clients {
              any; };</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US"></span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US">include
              "zones.common.config.view2";</span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"" xml:lang="EN-US" lang="EN-US"></span></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><span
              style="font-size:11.0pt;font-family:"Courier
              New"">}; // End view "default"</span></p>
          <p class="MsoNormal"><span xml:lang="EN-US" lang="EN-US"></span></p>
          <p class="MsoNormal">mydomains-keys.conf file contains :</p>
          <p style="margin:0cm;margin-bottom:.0001pt"><font size="-2"
              face="Courier New"><span style="font-size: 11pt;"
                xml:lang="EN-US" lang="EN-US">key ext-update.key. {</span></font></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><font size="-2"
              face="Courier New"><span style="font-size: 11pt;"
                xml:lang="EN-US" lang="EN-US">algorithm HMAC-SHA512;</span></font></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><font size="-2"
              face="Courier New"><span style="font-size: 11pt;"
                xml:lang="EN-US" lang="EN-US">secret "secret2";</span></font></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><font size="-2"
              face="Courier New"><span style="font-size: 11pt;"
                xml:lang="EN-US" lang="EN-US">};</span></font></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><font size="-2"
              face="Courier New"><span style="font-size: 11pt;"
                xml:lang="EN-US" lang="EN-US"></span></font></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><font size="-2"
              face="Courier New"><span style="font-size: 11pt;"
                xml:lang="EN-US" lang="EN-US">key int-update.key. {</span></font></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><font size="-2"
              face="Courier New"><span style="font-size: 11pt;"
                xml:lang="EN-US" lang="EN-US">algorithm HMAC-SHA512;</span></font></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><font size="-2"
              face="Courier New"><span style="font-size: 11pt;"
                xml:lang="EN-US" lang="EN-US">secret "secret3";</span></font></p>
          <p style="margin:0cm;margin-bottom:.0001pt"><font size="-2"
              face="Courier New"><span style="font-size: 11pt;"
                xml:lang="EN-US" lang="EN-US">};</span></font></p>
          <p class="MsoNormal"><span xml:lang="EN-US" lang="EN-US"></span></p>
          <p class="MsoNormal"><span xml:lang="EN-US" lang="EN-US">Error
              message in /var/log/named/named.log is :<br>
            </span></p>
          <p class="MsoNormal"><br>
          </p>
          <p class="MsoNormal"><font face="Courier New"><span
                xml:lang="EN-US" lang="EN-US">10-Jul-2020 13:27:14.695
                update: info: client @0x7f0a200a9b30
                10.124.15.148#64606/key arc-zone2.key: view grus-zone2:
                updating zone 'pacs.telenor.net/IN': update failed:
                rejected by secure update (REFUSED)</span></font></p>
          <p class="MsoNormal"><font face="Courier New"><span
                xml:lang="EN-US" lang="EN-US">10-Jul-2020 13:28:13.883
                update: info: client @0x7f0a200a9b30
                10.124.15.148#64606/key arc-zone2.key: view grus-zone2:
                updating zone 'pacs.telenor.net/IN': update failed:
                rejected by secure update (REFUSED)</span></font></p>
          <p class="MsoNormal"><font face="Courier New"><span
                xml:lang="EN-US" lang="EN-US"></span></font></p>
          <p class="MsoNormal"><span xml:lang="EN-US" lang="EN-US"></span></p>
          <p class="MsoNormal"><span xml:lang="EN-US" lang="EN-US">  </span></p>
        </blockquote>
        <div><br>
        </div>
        <div>It seems that you have used a key named arc-zone2.key for
          updating but only </div>
        <div>allow int-update.key for updating in configuration?</div>
        <div><br>
        </div>
        <blockquote type="cite" style="border-left-color:#1abc9c;
          margin:5px 5px; padding-left:10px; border-left-width:thin;
          border-left-style:solid;">
          <pre class="moz-signature" cols="72">--  
Best regards,
Per Weisteen


</pre>
          _______________________________________________<br>
          Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
          to unsubscribe from this list<br>
          <br>
          ISC funds the development of this software with paid support
          subscriptions. Contact us at <a class="moz-txt-link-freetext" href="https://www.isc.org/contact/">https://www.isc.org/contact/</a> for
          more information.<br>
          <br>
          <br>
          bind-users mailing list<br>
          <a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
          <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> <br>
        </blockquote>
        <br>
        <div>Zhiyong Cheng</div>
      </div>
    </blockquote>
    <br>
    <br>
    Hi <br>
    <br>
    I've managed to paste wrong error messages. The correct was :<br>
    <br>
    <p class="MsoNormal"><font face="Courier New"><span lang="EN-US">10-Jul-2020
          13:21:24.571 update: info: client @0x7f09500f432c
          10.11.131.23#5175/key int-update.key: view internal-sites:
          updating zone 'aa.example.net/IN': update failed: rejected by
          secure update (REFUSED)</span></font></p>
    <font face="Courier New">
    </font><span lang="EN-US"><font face="Courier New">10-Jul-2020
        13:21:24.759 update: info: client @0x7f09500f432c
        10.11.131.23#5175/key int-update.key: view internal-sites:
        updating zone 'aa.example.net/IN': update failed: rejected by
        secure update (REFUSED)<br>
      </font><br>
      <br>
    </span>I'll try Mark's suggestion.<br>
    <br>
    Per W.<br>
  </body>
</html>