Nsupdate -l not using session.key
Kalman Feher
kalman.feher at melbourneit.com.au
Wed Jun 30 16:07:34 UTC 2010
On 30/06/10 5:25 PM, "Alan Clegg" <aclegg at isc.org> wrote:
> On 6/30/2010 11:13 AM, Kalman Feher wrote:
>> While testing bind 9.7.1 features including automated signing and
>> update-policy local. I encountered some strange behaviour using nsupdate -l.
>>
>> When using nsupdate -l I was not able to update the zone in question and the
>> following error was generated:
>> update-security: error: client 127.0.0.1#9292: view internal: update
>> 'star/IN' denied
>
>> Any suggestions?
>
> Send your named.conf
Named.conf:
acl "xfer" {
"none";
};
acl "trusted" {
127.0.0.0/8;
::1/128;
10.115.160.0/22;
};
options {
directory "/var/bind";
pid-file "/var/run/named/named.pid";
bindkeys-file "/etc/bind/bind.keys";
listen-on-v6 { none; };
listen-on port 53 { any; };
allow-query {
trusted;
};
allow-query-cache {
trusted;
};
allow-transfer {
xfer;
};
dnssec-enable yes;
};
logging {
channel default_log {
file "/var/log/named/named.log" versions 5 size 50M;
print-time yes;
print-severity yes;
print-category yes;
};
channel query_log {
file "/var/log/named/query.log" versions 5 size 100M;
print-time yes;
print-severity yes;
print-category yes;
};
channel dnssec_log {
file "/var/log/named/dnssec.log" versions 5 size 100M;
print-time yes;
print-severity yes;
print-category yes;
};
channel resolver_log {
file "/var/log/named/resolver.log" versions 5 size 50M;
print-time yes;
print-severity yes;
print-category yes;
};
category default { default_log; };
category general { default_log; default_syslog; };
category queries { query_log; };
category dnssec { dnssec_log; };
category resolver { resolver_log; };
};
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys {
"rndc-key"; };
};
view "internal" in {
match-clients { trusted; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
zone "." in {
type hint;
file "/var/bind/root.cache";
};
zone "localhost" IN {
type master;
file "pri/localhost.zone";
allow-update { none; };
notify no;
allow-query { any; };
allow-transfer { none; };
};
zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
allow-update { none; };
notify no;
allow-query { any; };
allow-transfer { none; };
};
zone "star" IN {
type master;
auto-dnssec maintain;
update-policy local;
dnssec-secure-to-insecure no;
file "pri/star/star.zone.signed";
key-directory "pri/star";
notify no;
allow-query { any; };
allow-transfer { none; };
};
zone "COM" { type delegation-only; };
zone "NET" { type delegation-only; };
};
view "public" in {
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
zone "." in {
type hint;
file "/var/bind/root.cache";
};
};
view "chaos" chaos {
match-clients { any; };
allow-query { none; };
zone "." {
type hint;
file "/dev/null"; };
};
>
> AlanC
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Kal Feher
More information about the bind-users
mailing list