TSIG signed Updates
holger.honert at signal-iduna.de
holger.honert at signal-iduna.de
Thu Feb 3 09:35:47 UTC 2005
Hi out there,
for more securing dynamic updates that are forwarded via my secondary
nameserver (172.17.111.30) using the allow-update-forwarding statement,
these updates (should) be signed with a TSIG-Key.
Unfortunately this does not work in my configuration. Every time I make an
update I get an an REFUSE and the primary nameserver (172.27.100.12) says
update denied in the log-file.
The key seems alright, because it is used for axfr with no problems.
Here is the sec. DNS config.:
key tsig-key {
algorithm hmac-md5;
secret "my-secret";
};
server 172.27.100.12 {
keys { tsig-key ; };
};
zone "nwf.local" in {
type slave;
file "secondary/db.nwf.local";
masters { 172.27.100.12;};
allow-update-forwarding { 127.0.0.1; ddns; };
};
the pri. config:
key tsig-key {
algorithm hmac-md5;
secret "my secret";
};
server 172.17.111.30 {
keys {
tsig-key ;};
};
zone "nwf.local" {
type master;
file "primary/db.nwf.local";
allow-query {
any;
};
allow-transfer {
key tsig-key;
};
update-policy {
grant dhcp-key-1 wildcard *.nwf.local. A TXT;
grant tsig-key wildcard *.nwf.local. ANY;
};
notify yes;
check-names ignore;
};
The output from nsupdate:
> update add test1234.nwf.local. 1234 IN A 1.2.3.4
>
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34852
;; flags: qr aa rd ra ; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL:
0
;; QUESTION SECTION:
;test1234.nwf.local. IN SOA
;; AUTHORITY SECTION:
nwf.local. 0 IN SOA ns.nwf.local.
dnsadmin.signal-iduna.net. 189 1800 1800 604800 38400
Found zone name: nwf.local
The master is: ns.nwf.local
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 8817
;; flags: qr ra ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>
output named.log from the primary:
03-Feb-2005 09:48:05.248 update-security: error: client
172.17.111.30#32905: update 'nwf.local/IN' denied
Where am I wrong?
TIA!
Kind Regards/Freundlichen Gruß
Holger Honert
KOMN-97851
SIGNAL IDUNA Gruppe
Joseph-Scherer-Str. 3
44139 Dortmund
Phone: +49 231/135-4043
FAX: +49 231/135-2959
mailto: holger.honert at signal-iduna.de
More information about the bind-users
mailing list