Bind9 forward/reverse zones with multiple TSIG keys
Rick Dicaire
kritek at gmail.com
Tue Jan 29 16:43:15 UTC 2019
Wonder if you can use ddns zones with catalog zones, haven't tried it
myself...
On Tue, Jan 29, 2019 at 11:27 AM Grant Taylor via bind-users <
bind-users at lists.isc.org> wrote:
> On 01/29/2019 01:19 AM, ObNox wrote:
> > Hi,
>
> Hi ObNox,
>
> > For that to work, I need to make sure every separated component works as
> > expected when configured separately.
>
> Ah, yes. The joys / perils of testing discrete units individually and
> then start pugging them together like Legos and making sure that things
> still work.
>
> > Now, the trouble really begins :
> >
> > 1/ I update the zones files to uncomment the "test" record and update
> > the serial number
> >
> > 2/ I update "named.conf" to uncomment the "allow-update" statement using
> > "key-dhcp"
> >
> > 3/ "named-checkconf" does not complain so "rndc reload"!
> >
> > Problem : The syslog messages don't show the lines indicating that the
> > zones have been reloaded, here's an extract :
> >
> > …
> >
> > I was expecting the usual messages after a zone change, like previously:
> >
> > …
> >
> > So now, with the new "allow-update" statement, the zones are not
> > reloaded and this is confirmed by "dig" :
> >
> > …
> >
> > The new record "test.domain.tld" is not found and the serial is not the
> > new one!
>
> I'm wondering if you're being bitten by something that got me years ago
> when I first started messing with dynamic zones that allowed updates.
>
> In short, when dynamic updates are enabled, BIND will make changes to a
> journal file (which I think is binary). You have to "freeze" and
> "flush" the zone to be able to make to text file.
>
> So I'm guessing that your change wasn't detected because you
> transitioned to dynamic updates ~> journal file at the same time (or
> apparently) before BIND loaded the new zone. Thus the journal ~> BIND
> was using the old version of the zone file.
>
> I've found that I do most of my zone administration via nsupdate on the
> DNS server using the local key & socket.
>
> I only go through the "freeze" & "flush", edit, and "thaw" (& "sign" for
> DNSSEC) cycle when I have more (complex) edits than I want to make via
> nsupdate. (I've also wrapped nsupdate with rlwrap so that I have some
> (readline) history and better nsupdate command line editing.)
>
> > I've tested dozens of combinations with both "allow-transfer" and
> > "allow-update" by putting them at the "view" level, "options" level,
> > "global" level, etc. and nothing changed.
>
> If BIND did do what I'm thinking, then your edits were functionally
> lost. (Technically they may still be in the text file.)
>
> > So for now I'm lost and I need an expert's PoV to point what I'm doing
> > wrong and/or what I missed!
>
> I'm far from an expert. But hopefully you can benefit from my toe
> stubbing / razor cuts.
>
> > Thank you for any useful clue.
>
> Good luck.
>
>
>
> --
> Grant. . . .
> unix || die
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190129/47448900/attachment.html>
More information about the bind-users
mailing list