To:
bind-users@lists.isc.org
This is a multi-part message in MIME format.
On 14.07.2020 18:11, Zhiyong Cheng wrote:
在 2020年7月14日 +0800 PM9:06,Per Weisteen <perw@compute-it.no>,写道:
Hi
I've a BIND setup with my ISP with two views, one external and one
internal. At the same time I also need to be able to do a dynamic
update from some addresses within the internal range. This worked ok
before I had to define my two views.
I'd be very grateful if someone could suggest what I'm doing wrong.
My ISP is running BIND 9.11.4.
Due to the ISPs need to have control over the BIND setup I'm just
allowed to add my config via include files.
Zones.mydomains.config file contains:
include "keys/mydomains-keys.conf";
include "keys/zone1-keys.conf";
include "keys/zone2-keys.conf";
acl external { 10.222.33.0/18; 10.222.44.0/18; };
acl internal { 10.11.0.0/16; 10.12.0.0/16; };
//////
// zone1 and zone2 keys used to ensure correct zone transfer from slave
//////
view "external-sites" {
match-clients { !key zone2.key; key zone1.key; external; };
zone "aa.example.net" {
type master;
file "zones.master/aa-view1.example.net";
notify explicit;
also-notify { 10.12.143.56 key zone1.key; };
update-policy {
grant "ext-update.key." name web.aa.example.net. CNAME;
};
};
include "zones.common.config.view1";
}; // End view "external-sites"
view "internal-sites" {
match-clients { !key zone1.key; key zone2.key; internal; localhost; };
zone "aa.example.net" {
type master;
file "zones.master/aa-view2.example.net";
notify explicit;
also-notify { 10.12.143.56 key zone2.key; };
update-policy {
grant "int-update.key." name web.aa.example.net. CNAME;
};
};
include "zones.common.config.view2";
}; // End view "grus-zone2"
view "default" {
match-clients { any; };
include "zones.common.config.view2";
}; // End view "default"
mydomains-keys.conf file contains :
key ext-update.key. {
algorithm HMAC-SHA512;
secret "secret2";
};
key int-update.key. {
algorithm HMAC-SHA512;
secret "secret3";
};
Error message in /var/log/named/named.log is :
10-Jul-2020 13:27:14.695 update: info: client @0x7f0a200a9b30
10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone
'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)
10-Jul-2020 13:28:13.883 update: info: client @0x7f0a200a9b30
10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone
'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)
It seems that you have used a key named arc-zone2.key for updating but
only
allow int-update.key for updating in configuration?
--
Best regards,
Per Weisteen
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more
information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Zhiyong Cheng
Hi
I've managed to paste wrong error messages. The correct was :
10-Jul-2020 13:21:24.571 update: info: client @0x7f09500f432c 10.11.131.23#5175/key int-update.key: view internal-sites: updating zone 'aa.example.net/IN': update failed: rejected by secure update (REFUSED)
10-Jul-2020 13:21:24.759 update: info: client @0x7f09500f432c 10.11.131.23#5175/key int-update.key: view internal-sites: updating zone 'aa.example.net/IN': update failed: rejected by secure update (REFUSED)
I'll try Mark's suggestion.
Per W.
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
On 14.07.2020 18:11, Zhiyong Cheng wrote:<br>
<blockquote type="cite"
cite="mid:2324a085-c5c1-46d7-8831-f07453e15b35@Spark">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title></title>
<div name="messageReplySection">在 2020年7月14日 +0800 PM9:06,Per
Weisteen <a class="moz-txt-link-rfc2396E" href="mailto:
perw@compute-it.no"><
perw@compute-it.no></a>,写道:<br>
<blockquote type="cite" style="border-left-color:#1abc9c;
margin:5px 5px; padding-left:10px; border-left-width:thin;
border-left-style:solid;">Hi<br>
<br>
I've a BIND setup with my ISP with two views, one external and
one internal. At the same time I also need to be able to do a
dynamic update from some addresses within the internal range.
This worked ok before I had to define my two views.<br>
<br>
I'd be very grateful if someone could suggest what I'm doing
wrong. My ISP is running BIND 9.11.4.<br>
<br>
Due to the ISPs need to have control over the BIND setup I'm
just allowed to add my config via include files.<br>
<br>
<br>
<p class="MsoNormal"><span xml:lang="EN-US" lang="EN-US">Zones.mydomains.config
file contains:<br>
</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">include
"keys/mydomains-keys.conf";</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">include
"keys/zone1-keys.conf";</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">include
"keys/zone2-keys.conf";</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">acl external {
10.222.33.0/18; 10.222.44.0/18; };</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">acl internal {
10.11.0.0/16; 10.12.0.0/16; };</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">//////</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">// zone1 and
zone2 keys used to ensure correct zone transfer from slave</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">//////</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">view
"external-sites" {</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">match-clients {
!key zone2.key; key zone1.key; external; };</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span> <span
style="font-size:11.0pt;font-family:"Courier
New"">zone "aa.example.net" {</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"">type master;</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">file
"zones.master/aa-view1.example.net";</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">notify explicit;</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">also-notify {
10.12.143.56 key zone1.key; };</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">update-policy {</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">grant
"ext-update.key." name web.aa.example.net. CNAME;</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">};</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">};</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">include
"zones.common.config.view1";</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">}; // End view
"external-sites"</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">view
"internal-sites" {</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">match-clients {
!key zone1.key; key zone2.key; internal; localhost; };</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">zone
"aa.example.net" {</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">type master;</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">file
"zones.master/aa-view2.example.net";</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">notify explicit;</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">also-notify {
10.12.143.56 key zone2.key; };</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">update-policy {</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">grant
"int-update.key." name web.aa.example.net. CNAME;</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">};</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">};</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">include
"zones.common.config.view2";</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">}; // End view
"grus-zone2"</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">view "default" {</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">match-clients {
any; };</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">include
"zones.common.config.view2";</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"">}; // End view "default"</span></p>
<p class="MsoNormal"><span xml:lang="EN-US" lang="EN-US"></span></p>
<p class="MsoNormal">mydomains-keys.conf file contains :</p>
<p style="margin:0cm;margin-bottom:.0001pt"><font size="-2"
face="Courier New"><span style="font-size: 11pt;"
xml:lang="EN-US" lang="EN-US">key ext-update.key. {</span></font></p>
<p style="margin:0cm;margin-bottom:.0001pt"><font size="-2"
face="Courier New"><span style="font-size: 11pt;"
xml:lang="EN-US" lang="EN-US">algorithm HMAC-SHA512;</span></font></p>
<p style="margin:0cm;margin-bottom:.0001pt"><font size="-2"
face="Courier New"><span style="font-size: 11pt;"
xml:lang="EN-US" lang="EN-US">secret "secret2";</span></font></p>
<p style="margin:0cm;margin-bottom:.0001pt"><font size="-2"
face="Courier New"><span style="font-size: 11pt;"
xml:lang="EN-US" lang="EN-US">};</span></font></p>
<p style="margin:0cm;margin-bottom:.0001pt"><font size="-2"
face="Courier New"><span style="font-size: 11pt;"
xml:lang="EN-US" lang="EN-US"></span></font></p>
<p style="margin:0cm;margin-bottom:.0001pt"><font size="-2"
face="Courier New"><span style="font-size: 11pt;"
xml:lang="EN-US" lang="EN-US">key int-update.key. {</span></font></p>
<p style="margin:0cm;margin-bottom:.0001pt"><font size="-2"
face="Courier New"><span style="font-size: 11pt;"
xml:lang="EN-US" lang="EN-US">algorithm HMAC-SHA512;</span></font></p>
<p style="margin:0cm;margin-bottom:.0001pt"><font size="-2"
face="Courier New"><span style="font-size: 11pt;"
xml:lang="EN-US" lang="EN-US">secret "secret3";</span></font></p>
<p style="margin:0cm;margin-bottom:.0001pt"><font size="-2"
face="Courier New"><span style="font-size: 11pt;"
xml:lang="EN-US" lang="EN-US">};</span></font></p>
<p class="MsoNormal"><span xml:lang="EN-US" lang="EN-US"></span></p>
<p class="MsoNormal"><span xml:lang="EN-US" lang="EN-US">Error
message in /var/log/named/named.log is :<br>
</span></p>
<p class="MsoNormal"><br>
</p>
<p class="MsoNormal"><font face="Courier New"><span
xml:lang="EN-US" lang="EN-US">10-Jul-2020 13:27:14.695
update: info: client @0x7f0a200a9b30
10.124.15.148#64606/key arc-zone2.key: view grus-zone2:
updating zone 'pacs.telenor.net/IN': update failed:
rejected by secure update (REFUSED)</span></font></p>
<p class="MsoNormal"><font face="Courier New"><span
xml:lang="EN-US" lang="EN-US">10-Jul-2020 13:28:13.883
update: info: client @0x7f0a200a9b30
10.124.15.148#64606/key arc-zone2.key: view grus-zone2:
updating zone 'pacs.telenor.net/IN': update failed:
rejected by secure update (REFUSED)</span></font></p>
<p class="MsoNormal"><font face="Courier New"><span
xml:lang="EN-US" lang="EN-US"></span></font></p>
<p class="MsoNormal"><span xml:lang="EN-US" lang="EN-US"></span></p>
<p class="MsoNormal"><span xml:lang="EN-US" lang="EN-US"> </span></p>
</blockquote>
<div><br>
</div>
<div>It seems that you have used a key named arc-zone2.key for
updating but only </div>
<div>allow int-update.key for updating in configuration?</div>
<div><br>
</div>
<blockquote type="cite" style="border-left-color:#1abc9c;
margin:5px 5px; padding-left:10px; border-left-width:thin;
border-left-style:solid;">
<pre class="moz-signature" cols="72">--
Best regards,
Per Weisteen
</pre>
_______________________________________________<br>
Please visit <a class="moz-txt-link-freetext" href="
https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support
subscriptions. Contact us at <a class="moz-txt-link-freetext" href="
https://www.isc.org/contact/">https://www.isc.org/contact/</a> for
more information.<br>
<br>
<br>
bind-users mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:
bind-users@lists.isc.org">
bind-users@lists.isc.org</a><br>
<a class="moz-txt-link-freetext" href="
https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> <br>
</blockquote>
<br>
<div>Zhiyong Cheng</div>
</div>
</blockquote>
<br>
<br>
Hi <br>
<br>
I've managed to paste wrong error messages. The correct was :<br>
<br>
<p class="MsoNormal"><font face="Courier New"><span lang="EN-US">10-Jul-2020
13:21:24.571 update: info: client @0x7f09500f432c
10.11.131.23#5175/key int-update.key: view internal-sites:
updating zone 'aa.example.net/IN': update failed: rejected by
secure update (REFUSED)</span></font></p>
<font face="Courier New">
</font><span lang="EN-US"><font face="Courier New">10-Jul-2020
13:21:24.759 update: info: client @0x7f09500f432c
10.11.131.23#5175/key int-update.key: view internal-sites:
updating zone 'aa.example.net/IN': update failed: rejected by
secure update (REFUSED)<br>
</font><br>
<br>
</span>I'll try Mark's suggestion.<br>
<br>
Per W.<br>
</body>
</html>
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)