[prev in list] [next in list] [prev in thread] [next in thread]
List: bind-users
Subject: Re: Dynamic update rejected within a view
From: Per Weisteen <perw () compute-it ! no>
Date: 2020-07-16 7:56:58
Message-ID: 78147abb-a69f-c578-33dc-c384a7094e34 () compute-it ! no
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On 14.07.2020 18:11, Zhiyong Cheng wrote:
> å¨ 2020å¹´7æ14æ¥ +0800 PM9:06ï¼Per Weisteen <perw@compute-it.no>ï¼åéï¼
>> Hi
>>
>> I've a BIND setup with my ISP with two views, one external and one
>> internal. At the same time I also need to be able to do a dynamic
>> update from some addresses within the internal range. This worked ok
>> before I had to define my two views.
>>
>> I'd be very grateful if someone could suggest what I'm doing wrong.
>> My ISP is running BIND 9.11.4.
>>
>> Due to the ISPs need to have control over the BIND setup I'm just
>> allowed to add my config via include files.
>>
>>
>> Zones.mydomains.config file contains:
>>
>> include "keys/mydomains-keys.conf";
>>
>> include "keys/zone1-keys.conf";
>>
>> include "keys/zone2-keys.conf";
>>
>> acl external { 10.222.33.0/18; 10.222.44.0/18; };
>>
>> acl internal { 10.11.0.0/16; 10.12.0.0/16; };
>>
>> //////
>>
>> // zone1 and zone2 keys used to ensure correct zone transfer from slave
>>
>> //////
>>
>> view "external-sites" {
>>
>> match-clients { !key zone2.key; key zone1.key; external; };
>>
>> zone "aa.example.net" {
>>
>> type master;
>>
>> file "zones.master/aa-view1.example.net";
>>
>> notify explicit;
>>
>> also-notify { 10.12.143.56 key zone1.key; };
>>
>> update-policy {
>>
>> grant "ext-update.key." name web.aa.example.net. CNAME;
>>
>> };
>>
>> };
>>
>> include "zones.common.config.view1";
>>
>> }; // End view "external-sites"
>>
>> view "internal-sites" {
>>
>> match-clients { !key zone1.key; key zone2.key; internal; localhost; };
>>
>> zone "aa.example.net" {
>>
>> type master;
>>
>> file "zones.master/aa-view2.example.net";
>>
>> notify explicit;
>>
>> also-notify { 10.12.143.56 key zone2.key; };
>>
>> update-policy {
>>
>> grant "int-update.key." name web.aa.example.net. CNAME;
>>
>> };
>>
>> };
>>
>> include "zones.common.config.view2";
>>
>> }; // End view "grus-zone2"
>>
>> view "default" {
>>
>> match-clients { any; };
>>
>> include "zones.common.config.view2";
>>
>> }; // End view "default"
>>
>> mydomains-keys.conf file contains :
>>
>> key ext-update.key. {
>>
>> algorithm HMAC-SHA512;
>>
>> secret "secret2";
>>
>> };
>>
>> key int-update.key. {
>>
>> algorithm HMAC-SHA512;
>>
>> secret "secret3";
>>
>> };
>>
>> Error message in /var/log/named/named.log is :
>>
>>
>> 10-Jul-2020 13:27:14.695 update: info: client @0x7f0a200a9b30
>> 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone
>> 'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)
>>
>> 10-Jul-2020 13:28:13.883 update: info: client @0x7f0a200a9b30
>> 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone
>> 'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)
>>
>
> It seems that you have used a key named arc-zone2.key for updating but
> only
> allow int-update.key for updating in configuration?
>
>> --
>> Best regards,
>> Per Weisteen
>>
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>>
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
> Zhiyong Cheng
Hi
I've managed to paste wrong error messages. The correct was :
10-Jul-2020 13:21:24.571 update: info: client @0x7f09500f432c
10.11.131.23#5175/key int-update.key: view internal-sites: updating zone
'aa.example.net/IN': update failed: rejected by secure update (REFUSED)
10-Jul-2020 13:21:24.759 update: info: client @0x7f09500f432c
10.11.131.23#5175/key int-update.key: view internal-sites: updating zone
'aa.example.net/IN': update failed: rejected by secure update (REFUSED)
I'll try Mark's suggestion.
Per W.
[Attachment #5 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
On 14.07.2020 18:11, Zhiyong Cheng wrote:<br>
<blockquote type="cite"
cite="mid:2324a085-c5c1-46d7-8831-f07453e15b35@Spark">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title></title>
<div name="messageReplySection">在 2020年7月14日 +0800 PM9:06,Per
Weisteen <a class="moz-txt-link-rfc2396E" \
href="mailto:perw@compute-it.no"><perw@compute-it.no></a>,写道:<br> <blockquote \
type="cite" style="border-left-color:#1abc9c; margin:5px 5px; padding-left:10px; \
border-left-width:thin; border-left-style:solid;">Hi<br>
<br>
I've a BIND setup with my ISP with two views, one external and
one internal. At the same time I also need to be able to do a
dynamic update from some addresses within the internal range.
This worked ok before I had to define my two views.<br>
<br>
I'd be very grateful if someone could suggest what I'm doing
wrong. My ISP is running BIND 9.11.4.<br>
<br>
Due to the ISPs need to have control over the BIND setup I'm
just allowed to add my config via include files.<br>
<br>
<br>
<p class="MsoNormal"><span xml:lang="EN-US" \
lang="EN-US">Zones.mydomains.config file contains:<br>
</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">include
"keys/mydomains-keys.conf";</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">include
"keys/zone1-keys.conf";</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">include
"keys/zone2-keys.conf";</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">acl external {
10.222.33.0/18; 10.222.44.0/18; };</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">acl internal {
10.11.0.0/16; 10.12.0.0/16; };</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">//////</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">// zone1 and
zone2 keys used to ensure correct zone transfer from slave</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">//////</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">view
"external-sites" {</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">match-clients {
!key zone2.key; key zone1.key; external; };</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span> <span
style="font-size:11.0pt;font-family:"Courier
New"">zone "aa.example.net" {</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"">type master;</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">file
"zones.master/aa-view1.example.net";</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">notify explicit;</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">also-notify {
10.12.143.56 key zone1.key; };</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">update-policy {</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">grant
"ext-update.key." name web.aa.example.net. CNAME;</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">};</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">};</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">include
"zones.common.config.view1";</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">}; // End view
"external-sites"</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">view
"internal-sites" {</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">match-clients {
!key zone1.key; key zone2.key; internal; localhost; };</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">zone
"aa.example.net" {</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">type master;</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">file
"zones.master/aa-view2.example.net";</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">notify explicit;</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">also-notify {
10.12.143.56 key zone2.key; };</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">update-policy {</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">grant
"int-update.key." name web.aa.example.net. CNAME;</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">};</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">};</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">include
"zones.common.config.view2";</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">}; // End view
"grus-zone2"</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">view "default" {</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">match-clients {
any; };</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US">include
"zones.common.config.view2";</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"" xml:lang="EN-US" lang="EN-US"></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:11.0pt;font-family:"Courier
New"">}; // End view "default"</span></p>
<p class="MsoNormal"><span xml:lang="EN-US" lang="EN-US"></span></p>
<p class="MsoNormal">mydomains-keys.conf file contains :</p>
<p style="margin:0cm;margin-bottom:.0001pt"><font size="-2"
face="Courier New"><span style="font-size: 11pt;"
xml:lang="EN-US" lang="EN-US">key ext-update.key. {</span></font></p>
<p style="margin:0cm;margin-bottom:.0001pt"><font size="-2"
face="Courier New"><span style="font-size: 11pt;"
xml:lang="EN-US" lang="EN-US">algorithm \
HMAC-SHA512;</span></font></p> <p style="margin:0cm;margin-bottom:.0001pt"><font \
size="-2" face="Courier New"><span style="font-size: 11pt;"
xml:lang="EN-US" lang="EN-US">secret "secret2";</span></font></p>
<p style="margin:0cm;margin-bottom:.0001pt"><font size="-2"
face="Courier New"><span style="font-size: 11pt;"
xml:lang="EN-US" lang="EN-US">};</span></font></p>
<p style="margin:0cm;margin-bottom:.0001pt"><font size="-2"
face="Courier New"><span style="font-size: 11pt;"
xml:lang="EN-US" lang="EN-US"></span></font></p>
<p style="margin:0cm;margin-bottom:.0001pt"><font size="-2"
face="Courier New"><span style="font-size: 11pt;"
xml:lang="EN-US" lang="EN-US">key int-update.key. {</span></font></p>
<p style="margin:0cm;margin-bottom:.0001pt"><font size="-2"
face="Courier New"><span style="font-size: 11pt;"
xml:lang="EN-US" lang="EN-US">algorithm \
HMAC-SHA512;</span></font></p> <p style="margin:0cm;margin-bottom:.0001pt"><font \
size="-2" face="Courier New"><span style="font-size: 11pt;"
xml:lang="EN-US" lang="EN-US">secret "secret3";</span></font></p>
<p style="margin:0cm;margin-bottom:.0001pt"><font size="-2"
face="Courier New"><span style="font-size: 11pt;"
xml:lang="EN-US" lang="EN-US">};</span></font></p>
<p class="MsoNormal"><span xml:lang="EN-US" lang="EN-US"></span></p>
<p class="MsoNormal"><span xml:lang="EN-US" lang="EN-US">Error
message in /var/log/named/named.log is :<br>
</span></p>
<p class="MsoNormal"><br>
</p>
<p class="MsoNormal"><font face="Courier New"><span
xml:lang="EN-US" lang="EN-US">10-Jul-2020 13:27:14.695
update: info: client @0x7f0a200a9b30
10.124.15.148#64606/key arc-zone2.key: view grus-zone2:
updating zone 'pacs.telenor.net/IN': update failed:
rejected by secure update (REFUSED)</span></font></p>
<p class="MsoNormal"><font face="Courier New"><span
xml:lang="EN-US" lang="EN-US">10-Jul-2020 13:28:13.883
update: info: client @0x7f0a200a9b30
10.124.15.148#64606/key arc-zone2.key: view grus-zone2:
updating zone 'pacs.telenor.net/IN': update failed:
rejected by secure update (REFUSED)</span></font></p>
<p class="MsoNormal"><font face="Courier New"><span
xml:lang="EN-US" lang="EN-US"></span></font></p>
<p class="MsoNormal"><span xml:lang="EN-US" lang="EN-US"></span></p>
<p class="MsoNormal"><span xml:lang="EN-US" lang="EN-US"> </span></p>
</blockquote>
<div><br>
</div>
<div>It seems that you have used a key named arc-zone2.key for
updating but only </div>
<div>allow int-update.key for updating in configuration?</div>
<div><br>
</div>
<blockquote type="cite" style="border-left-color:#1abc9c;
margin:5px 5px; padding-left:10px; border-left-width:thin;
border-left-style:solid;">
<pre class="moz-signature" cols="72">--
Best regards,
Per Weisteen
</pre>
_______________________________________________<br>
Please visit <a class="moz-txt-link-freetext" \
href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support
subscriptions. Contact us at <a class="moz-txt-link-freetext" \
href="https://www.isc.org/contact/">https://www.isc.org/contact/</a> for more \
information.<br> <br>
<br>
bind-users mailing list<br>
<a class="moz-txt-link-abbreviated" \
href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a class="moz-txt-link-freetext" \
href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> \
<br> </blockquote>
<br>
<div>Zhiyong Cheng</div>
</div>
</blockquote>
<br>
<br>
Hi <br>
<br>
I've managed to paste wrong error messages. The correct was :<br>
<br>
<p class="MsoNormal"><font face="Courier New"><span lang="EN-US">10-Jul-2020
13:21:24.571 update: info: client @0x7f09500f432c
10.11.131.23#5175/key int-update.key: view internal-sites:
updating zone 'aa.example.net/IN': update failed: rejected by
secure update (REFUSED)</span></font></p>
<font face="Courier New">
</font><span lang="EN-US"><font face="Courier New">10-Jul-2020
13:21:24.759 update: info: client @0x7f09500f432c
10.11.131.23#5175/key int-update.key: view internal-sites:
updating zone 'aa.example.net/IN': update failed: rejected by
secure update (REFUSED)<br>
</font><br>
<br>
</span>I'll try Mark's suggestion.<br>
<br>
Per W.<br>
</body>
</html>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from \
this list
ISC funds the development of this software with paid support subscriptions. Contact \
us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic