Forum: >>> Magnum BBS <<<

Dynamic update rejected within a view

From Per Weisteen@21:1/5 to All on Tue Jul 14 15:05:45 2020

This is a multi-part message in MIME format.
Hi

I've a BIND setup with my ISP with two views, one external and one
internal. At the same time I also need to be able to do a dynamic update
from some addresses within the internal range. This worked ok before I
had to define my two views.

I'd be very grateful if someone could suggest what I'm doing wrong. My
ISP is running BIND 9.11.4.

Due to the ISPs need to have control over the BIND setup I'm just
allowed to add my config via include files.

Zones.mydomains.config file contains:

include "keys/mydomains-keys.conf";

include "keys/zone1-keys.conf";

include "keys/zone2-keys.conf";

acl external { 10.222.33.0/18; 10.222.44.0/18; };

acl internal { 10.11.0.0/16; 10.12.0.0/16; };

//////

// zone1 and zone2 keys used to ensure correct zone transfer from slave

//////

view "external-sites" {

 match-clients { !key zone2.key; key zone1.key; external; };

zone "aa.example.net" {

type master;

 file "zones.master/aa-view1.example.net";

 notify explicit;

 also-notify { 10.12.143.56 key zone1.key; };

 update-policy {

 grant "ext-update.key." name web.aa.example.net. CNAME;

 };

 };

 include "zones.common.config.view1";

}; // End view "external-sites"

view "internal-sites" {

 match-clients { !key zone1.key; key zone2.key; internal; localhost; };

 zone "aa.example.net" {

 type master;

 file "zones.master/aa-view2.example.net";

 notify explicit;

 also-notify { 10.12.143.56 key zone2.key; };

 update-policy {

 grant "int-update.key." name web.aa.example.net. CNAME;

 };

 };

 include "zones.common.config.view2";

}; // End view "grus-zone2"

view "default" {

 match-clients { any; };

 include "zones.common.config.view2";

}; // End view "default"

mydomains-keys.conf file contains :

key ext-update.key. {

algorithm HMAC-SHA512;

secret "secret2";

};

key int-update.key. {

algorithm HMAC-SHA512;

secret "secret3";

};

Error message in /var/log/named/named.log is :

10-Jul-2020 13:27:14.695 update: info: client @0x7f0a200a9b30 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone 'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)

10-Jul-2020 13:28:13.883 update: info: client @0x7f0a200a9b30 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone 'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)

--
Best regards,
Per Weisteen

<html>
<head>

<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
Hi 
 
I've a BIND setup with my ISP with two views, one external and one
internal. At the same time I also need to be able to do a dynamic
update from some addresses within the internal range. This worked ok
before I had to define my two views. 
 
I'd be very grateful if someone could suggest what I'm doing wrong.
My ISP is running BIND 9.11.4. 
 
Due to the ISPs need to have control over the BIND setup I'm just
allowed to add my config via include files. 
 
 
Zones.mydomains.config file
contains: 

 
include "keys/mydomains-keys.conf";
include "keys/zone1-keys.conf";
include "keys/zone2-keys.conf";
 
acl external { 10.222.33.0/18; 10.222.44.0/18; };
acl internal { 10.11.0.0/16; 10.12.0.0/16; };
 
//////
// zone1 and zone2 keys used to ensure correct zone
transfer from slave
//////
 
view "external-sites" {
 match-clients { !key zone2.key; key zone1.key;
external; };
 

zone "aa.example.net" {

type master;
 file "zones.master/aa-view1.example.net";
 notify explicit;
 also-notify { 10.12.143.56 key zone1.key;
};
 update-policy {
 grant "ext-update.key." name
web.aa.example.net. CNAME;
 };
 };
 
 include "zones.common.config.view1";
 
}; // End view "external-sites"
 
view "internal-sites" {
 match-clients { !key zone1.key; key zone2.key;
internal; localhost; };
 
 zone "aa.example.net" {
 type master;
 file "zones.master/aa-view2.example.net";
 notify explicit;
 also-notify { 10.12.143.56 key zone2.key;
};
 update-policy {
 grant "int-update.key." name
web.aa.example.net. CNAME;
 };
 };
 
 include "zones.common.config.view2";
 
}; // End view "grus-zone2"
 
 
 
view "default" {
 match-clients { any; };

 
 include "zones.common.config.view2";
 
};
// End view "default"
 
mydomains-keys.conf file contains :
 
key
ext-update.key. {



algorithm HMAC-SHA512;



secret "secret2";


};


 


key
int-update.key. {



algorithm HMAC-SHA512;



secret "secret3";


};


 
Error message in
/var/log/named/named.log is : 

 

10-Jul-2020
13:27:14.695 update: info: client @0x7f0a200a9b30
10.124.15.148#64606/key arc-zone2.key: view grus-zone2:
updating zone 'pacs.telenor.net/IN': update failed: rejected
by secure update (REFUSED)


10-Jul-2020
13:28:13.883 update: info: client @0x7f0a200a9b30
10.124.15.148#64606/key arc-zone2.key: view grus-zone2:
updating zone 'pacs.telenor.net/IN': update failed: rejected
by secure update (REFUSED)


 

 

<pre class="moz-signature" cols="72">--
Best regards,
Per Weisteen

</pre>
</body>
</html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Sten Carlsen@21:1/5 to Per Weisteen on Tue Jul 14 16:34:48 2020

Copy: bind-users@lists.isc.org (Browne, Stuart via bind-users)

--
Best regards
Sten Carlsen

For every problem, there is a solution that
is simple, elegant, and wrong.
HL Mencken

On 14 Jul 2020, at 16.25, Mark Andrews <marka@isc.org> wrote:

Include the update keys in the view selection.

--
Mark Andrews

On 14 Jul 2020, at 23:06, Per Weisteen <perw@compute-it.no> wrote:

Zones.mydomains.config file contains:

include "keys/mydomains-keys.conf";
include "keys/zone1-keys.conf";
include "keys/zone2-keys.conf";

view "external-sites" {
match-clients { !key zone2.key; key zone1.key; external; };

-----------------------------

zone "aa.example.net" {
Error message in /var/log/named/named.log is :

10-Jul-2020 13:27:14.695 update: info: client @0x7f0a200a9b30 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone 'pacs.telenor.net/IN': update

From Mark Andrews@21:1/5 to Per Weisteen on Wed Jul 15 00:25:48 2020

Copy: bind-users@lists.isc.org

--Apple-Mail-E05D45FD-76B5-4EBE-B0A5-A334E9AFFF20
Content-Type: text/plain;
charset=utf-8
Content-Transfer-Encoding: quoted-printable

Include the update keys in the view selection.

--
Mark Andrews

On 14 Jul 2020, at 23:06, Per Weisteen <perw@compute-it.no> wrote:

Hi

I've a BIND setup with my ISP with two views, one external and one internal. At the same time I also need to be able to do a dynamic update from some addresses within the internal range. This worked ok before I had to define my two views.

I'd be very grateful if someone could suggest what I'm doing wrong. My ISP is running BIND 9.11.4.

Due to the ISPs need to have control over the BIND setup I'm just allowed to add my config via include files.

Zones.mydomains.config file contains:

include "keys/mydomains-keys.conf";
include "keys/zone1-keys.conf";
include "keys/zone2-keys.conf";

acl external { 10.222.33.0/18; 10.222.44.0/18; };
acl internal { 10.11.0.0/16; 10.12.0.0/16; };

//////
// zone1 and zone2 keys used to ensure correct zone transfer from slave //////

view "external-sites" {
match-clients { !key zone2.key; key

From Zhiyong Cheng@21:1/5 to All on Wed Jul 15 00:11:15 2020

To: perw@compute-it.no (Per Weisteen)

在 2020年7月14日 +0800 PM9:06，Per Weisteen <perw@compute-it.no>，写道：

Hi

I've a BIND setup with my ISP with two views, one external and one internal. At the same time I also need to be able to do a dynamic update from some addresses within the internal range. This worked ok before I had to define my two views.

I'd be very grateful if someone could suggest what I'm doing wrong. My ISP is running BIND 9.11.4.

Due to the ISPs need to have control over the BIND setup I'm just allowed to add my config via include files.

Zones.mydomains.config file contains:
include "keys/mydomains-keys.conf";
include "keys/zone1-keys.conf";
include "keys/zone2-keys.conf";
acl external { 10.222.33.0/18; 10.222.44.0/18; };
acl internal { 10.11.0.0/16; 10.12.0.0/16; };
//////
// zone1 and zone2 keys used to ensure correct zone transfer from slave //////
view "external-sites" {
match-clients { !key zone2.key; key zone1.key; external; };
zone "aa.example.net" {
type master;
file "zones.master/aa-view1.example.net";
notify explicit;
also-notify { 10.12.143.56 key zone1.key; };
update-policy {
grant "ext-update.key." name web.aa.example.net. CNAME;
};
};
include "zones.common.config.view1";
}; // End view "external-sites"
view "internal-sites" {
match-clients { !key zone1.key; key zone2.key; internal; localhost; };
zone "aa.example.net" {
type master;
file "zones.master/aa-view2.example.net";
notify explicit;
also-notify { 10.12.143.56 key zone2.key; };
update-policy {
grant "int-update.key." name web.aa.example.net. CNAME;
};
};
include "zones.common.config.view2";
}; // End view "grus-zone2"
view "default" {
match-clients { any; };
include "zones.common.config.view2";
}; // End view "default"
mydomains-keys.conf file contains :
key ext-update.key. {
algorithm HMAC-SHA512;
secret "secret2";
};
key int-update.key. {
algorithm HMAC-SHA512;
secret "secret3";
};
Error message in /var/log/named/named.log is :

10-Jul-2020 13:27:14.695 update: info: client @0x7f0a200a9b30 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone 'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)
10-Jul-2020 13:28:13.883 update: info: client @0x7f0a200a9b30 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone 'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)

It seems that you have used a key named arc-zone2.key for updating but only allow int-update.key for updating in configuration?

--
Best regards,
Per Weisteen

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Zhiyong Cheng

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title></title>
</head>
<body>
<div name="messageReplySection">在 2020年7月14日 +0800 PM9:06，Per Weisteen <perw@compute-it.no>，写道： 
<blockquote type="cite" style="border-left-color:#1abc9c; margin:5px 5px; padding-left:10px; border-left-width:thin; border-left-style:solid;">Hi 
 
I've a BIND setup with my ISP with two views, one external and one internal. At the same time I also need to be able to do a dynamic update from some addresses within the internal range. This worked ok before I had to define my two views. 
 
I'd be very grateful if someone could suggest what I'm doing wrong. My ISP is running BIND 9.11.4. 
 
 Due to the ISPs need to have control over the BIND setup I'm just allowed to add my config via include files. 
 
  
Zones.mydomains.config file contains: 

include "keys/mydomains-keys.conf";
include "keys/zone1-keys.conf";
include "keys/zone2-keys.conf";

acl external { 10.222.33.0/18; 10.222.44.0/18; };
acl internal { 10.11.0.0/16; 10.12.0.0/16; };

//////
// zone1 and zone2 keys used to ensure correct zone transfer from slave
//////

view "external-sites" {
match-clients { !key zone2.key; key zone1.key; external; };

 zone "aa.example.net" {
type master;
file "zones.master/aa-view1.example.net";
notify explicit;
also-notify { 10.12.143.56 key zone1.key; };
update-policy {
grant "ext-update.key." name web.aa.example.net. CNAME;
};
};

include "zones.common.config.view1";

}; // End view "external-sites"

view "internal-sites" {
match-clients { !key zone1.key; key zone2.key; internal; localhost; };

zone "aa.example.net" {
type master;
file "zones.master/aa-view2.example.net";
notify explicit;
also-notify { 10.12.143.56 key zone2.key; };
update-policy {
grant "int-update.key." name web.aa.example.net. CNAME;
};
};

include "zones.common.config.view2";

}; // End view "grus-zone2"



view "default" {
match-clients { any; };

include "zones.common.config.view2";

}; // End view "default"

mydomains-keys.conf file contains :

key ext-update.key. {

algorithm HMAC-SHA512;

secret "secret2";

};



key int-update.key. {

algorithm HMAC-SHA512;

secret "secret3";

};


Error message in /var/log/named/named.log is : 
 
10-Jul-2020 13:27:14.695 update: info: client @0x7f0a200a9b30 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone 'pacs.telenor.net/IN': update failed:
rejected by secure update (REFUSED)

10-Jul-2020 13:28:13.883 update: info: client @0x7f0a200a9b30 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone 'pacs.telenor.net/IN': update failed:
rejected by secure update (REFUSED)



  
</blockquote>
<div> </div>
<div>It seems that you have used a key named arc-zone2.key for updating but only </div>
<div>allow int-update.key for updating in configuration?</div>
<div> </div>
<blockquote type="cite" style="border-left-color:#1abc9c; margin:5px 5px; padding-left:10px; border-left-width:thin; border-left-style:solid;">
<pre class="moz-signature" cols="72">--
Best regards,
Per Weisteen

</pre>
_______________________________________________ 
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list 
 
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. 
 
 
bind-users mailing list 
bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users  </blockquote>
 
<div>Zhiyong Cheng</div>
</div>
</body>
</html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Per Weisteen@21:1/5 to Zhiyong Cheng on Thu Jul 16 09:56:58 2020

To: bind-users@lists.isc.org

This is a multi-part message in MIME format.
On 14.07.2020 18:11, Zhiyong Cheng wrote:

在 2020年7月14日 +0800 PM9:06，Per Weisteen <perw@compute-it.no>，写道：

Hi

I've a BIND setup with my ISP with two views, one external and one
internal. At the same time I also need to be able to do a dynamic
update from some addresses within the internal range. This worked ok
before I had to define my two views.

I'd be very grateful if someone could suggest what I'm doing wrong.
My ISP is running BIND 9.11.4.

Due to the ISPs need to have control over the BIND setup I'm just
allowed to add my config via include files.

Zones.mydomains.config file contains:

include "keys/mydomains-keys.conf";

include "keys/zone1-keys.conf";

include "keys/zone2-keys.conf";

acl external { 10.222.33.0/18; 10.222.44.0/18; };

acl internal { 10.11.0.0/16; 10.12.0.0/16; };

//////

// zone1 and zone2 keys used to ensure correct zone transfer from slave

//////

view "external-sites" {

match-clients { !key zone2.key; key zone1.key; external; };

zone "aa.example.net" {

type master;

file "zones.master/aa-view1.example.net";

notify explicit;

also-notify { 10.12.143.56 key zone1.key; };

update-policy {

grant "ext-update.key." name web.aa.example.net. CNAME;

};

};

include "zones.common.config.view1";

}; // End view "external-sites"

view "internal-sites" {

match-clients { !key zone1.key; key zone2.key; internal; localhost; };

zone "aa.example.net" {

type master;

file "zones.master/aa-view2.example.net";

notify explicit;

also-notify { 10.12.143.56 key zone2.key; };

update-policy {

grant "int-update.key." name web.aa.example.net. CNAME;

};

};

include "zones.common.config.view2";

}; // End view "grus-zone2"

view "default" {

match-clients { any; };

include "zones.common.config.view2";

}; // End view "default"

mydomains-keys.conf file contains :

key ext-update.key. {

algorithm HMAC-SHA512;

secret "secret2";

};

key int-update.key. {

algorithm HMAC-SHA512;

secret "secret3";

};

Error message in /var/log/named/named.log is :

10-Jul-2020 13:27:14.695 update: info: client @0x7f0a200a9b30
10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone
'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)

10-Jul-2020 13:28:13.883 update: info: client @0x7f0a200a9b30
10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone
'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)

It seems that you have used a key named arc-zone2.key for updating but
only
allow int-update.key for updating in configuration?

--
Best regards,
Per Weisteen

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more
information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Zhiyong Cheng

Hi

I've managed to paste wrong error messages. The correct was :

10-Jul-2020 13:21:24.571 update: info: client @0x7f09500f432c 10.11.131.23#5175/key int-update.key: view internal-sites: updating zone 'aa.example.net/IN': update failed: rejected by secure update (REFUSED)

10-Jul-2020 13:21:24.759 update: info: client @0x7f09500f432c 10.11.131.23#5175/key int-update.key: view internal-sites: updating zone 'aa.example.net/IN': update failed: rejected by secure update (REFUSED)

I'll try Mark's suggestion.

Per W.

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
On 14.07.2020 18:11, Zhiyong Cheng wrote: 
<blockquote type="cite"
cite="mid:2324a085-c5c1-46d7-8831-f07453e15b35@Spark">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title></title>
<div name="messageReplySection">在 2020年7月14日 +0800 PM9:06，Per
Weisteen <a class="moz-txt-link-rfc2396E" href="mailto:perw@compute-it.no"><perw@compute-it.no></a>，写道： 
<blockquote type="cite" style="border-left-color:#1abc9c;
margin:5px 5px; padding-left:10px; border-left-width:thin;
border-left-style:solid;">Hi 
 
I've a BIND setup with my ISP with two views, one external and
one internal. At the same time I also need to be able to do a
dynamic update from some addresses within the internal range.
This worked ok before I had to define my two views. 
 
I'd be very grateful if someone could suggest what I'm doing
wrong. My ISP is running BIND 9.11.4. 
 
Due to the ISPs need to have control over the BIND setup I'm
just allowed to add my config via include files. 
 
 
Zones.mydomains.config
file contains: 


include
"keys/mydomains-keys.conf";
include
"keys/zone1-keys.conf";
include
"keys/zone2-keys.conf";

acl external {
10.222.33.0/18; 10.222.44.0/18; };
acl internal {
10.11.0.0/16; 10.12.0.0/16; };

//////
// zone1 and
zone2 keys used to ensure correct zone transfer from slave
//////

view
"external-sites" {
match-clients {
!key zone2.key; key zone1.key; external; };

 zone "aa.example.net" {
type master;
file
"zones.master/aa-view1.example.net";
notify explicit;
also-notify {
10.12.143.56 key zone1.key; };
update-policy {
grant
"ext-update.key." name web.aa.example.net. CNAME;
};
};

include
"zones.common.config.view1";

}; // End view
"external-sites"

view
"internal-sites" {
match-clients {
!key zone1.key; key zone2.key; internal; localhost; };

zone
"aa.example.net" {
type master;
file
"zones.master/aa-view2.example.net";
notify explicit;
also-notify {
10.12.143.56 key zone2.key; };
update-policy {
grant
"int-update.key." name web.aa.example.net. CNAME;
};
};

include
"zones.common.config.view2";

}; // End view
"grus-zone2"



view "default" {
match-clients {
any; };

include
"zones.common.config.view2";

}; // End view "default"

mydomains-keys.conf file contains :
key ext-update.key. {
algorithm HMAC-SHA512;
secret "secret2";
};

key int-update.key. {
algorithm HMAC-SHA512;
secret "secret3";
};

Error
message in /var/log/named/named.log is : 

 

10-Jul-2020 13:27:14.695
update: info: client @0x7f0a200a9b30
10.124.15.148#64606/key arc-zone2.key: view grus-zone2:
updating zone 'pacs.telenor.net/IN': update failed:
rejected by secure update (REFUSED)
10-Jul-2020 13:28:13.883
update: info: client @0x7f0a200a9b30
10.124.15.148#64606/key arc-zone2.key: view grus-zone2:
updating zone 'pacs.telenor.net/IN': update failed:
rejected by secure update (REFUSED)


 
</blockquote>
<div> 
</div>
<div>It seems that you have used a key named arc-zone2.key for
updating but only </div>
<div>allow int-update.key for updating in configuration?</div>
<div> 
</div>
<blockquote type="cite" style="border-left-color:#1abc9c;
margin:5px 5px; padding-left:10px; border-left-width:thin;
border-left-style:solid;">
<pre class="moz-signature" cols="72">--
Best regards,
Per Weisteen

</pre>
_______________________________________________ 
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
to unsubscribe from this list 
 
ISC funds the development of this software with paid support
subscriptions. Contact us at <a class="moz-txt-link-freetext" href="https://www.isc.org/contact/">https://www.isc.org/contact/</a> for
more information. 
 
 
bind-users mailing list 
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a> 
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> 
</blockquote>
 
<div>Zhiyong Cheng</div>
</div>
</blockquote>
 
 
Hi 
 
I've managed to paste wrong error messages. The correct was : 
 
10-Jul-2020
13:21:24.571 update: info: client @0x7f09500f432c
10.11.131.23#5175/key int-update.key: view internal-sites:
updating zone 'aa.example.net/IN': update failed: rejected by
secure update (REFUSED)

10-Jul-2020
13:21:24.759 update: info: client @0x7f09500f432c
10.11.131.23#5175/key int-update.key: view internal-sites:
updating zone 'aa.example.net/IN': update failed: rejected by
secure update (REFUSED) 
 
 
I'll try Mark's suggestion. 
 
Per W. 
</body>
</html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	291
Nodes:	16 (2 / 14)
Uptime:	157:11:41
Calls:	6,613
Calls today:	3
Files:	12,162
Messages:	5,312,040

Dynamic update rejected within a view

Who's Online

Recent Visitors

System Info