key-restricted nsupdate of internal view's zone's host REFUSED with 'signer "<key>" denied' ?
PGNd
dev at pgnd.us
Tue May 26 15:55:13 UTC 2015
I run
named -v
BIND 9.10.2
in split-horizon mode with two views
view "internal" {
view "external" {
For a single zone
MYDOMAIN.com
I'm targeting two hostnames in the zone
test.MYDOMAIN.com
external.test.MYDOMAIN.com
for dynamic updates. At any given time, the A records should return
view=internal:
dig A test.MYDOMAIN.com +short
A.B.C.D
dig A external.test.MYDOMAIN.com +short
10.1.1.14
view=external:
dig A test.MYDOMAIN.com +short
A.B.C.D
dig A external.test.MYDOMAIN.com +short
A.B.C.D
I want to dynamically update A.B.C.D, using 'nsupdate'. I.e., I'll update
internal: external.test.MYDOMAIN.com
external: test.MYDOMAIN.com
external: external.test.MYDOMAIN.com
In my dns conf
cat named.conf
...
acl presgrp_internal { localhost; 10.1.1.0/24; 2001:xxx:xxxx:xxx::/64; };
...
view "internal" {
match-clients { key test-key; presgrp_internal; };
...
zone "MYDOMAIN.com" {
type master; file "/namedb/master/internal.MYDOMAIN.com.zone";
update-policy {
grant brahms-rndc-key zonesub ANY;
grant test-key name external.test.MYDOMAIN.com ANY;
};
};
...
view "external" {
match-clients { key test-key; any; };
...
zone "MYDOMAIN.com" IN {
type master; file "/namedb/master/MYDOMAIN.com.zone";
update-policy {
grant test-key name test.MYDOMAIN.com ANY;
grant test-key name external.test.MYDOMAIN.com ANY;
};
};
...
I have an update script
cat dyn-update.sh
#!/bin/sh
IP=$1
NSUPDATE="/usr/local/bind9/bin/nsupdate"
RNDC="/usr/local/bind9/sbin/rndc"
KEYFILE="/usr/local/etc/named/keys/test.rndc.key"
SERVER="2001:xxx:xxxx:xxx::100"
ZONE="MYDOMAIN.com"
HOST="test"
cat <<EOF | ${NSUPDATE} -k ${KEYFILE} -v
server ${SERVER}
zone ${ZONE}
local ::1
update delete ${HOST}.${ZONE}. ANY
update delete external.${HOST}.${ZONE}. ANY
update add ${HOST}.${ZONE}. 5 A ${IP}
update add external.${HOST}.${ZONE}. 5 A ${IP}
update add ${HOST}.${ZONE}. 5 TXT "Updated on $(date)"
update add external.${HOST}.${ZONE}. 5 TXT "Updated on $(date)"
show
send
EOF
${RNDC} reload
where
cat /usr/local/etc/named/keys/test.rndc.key
key "test-key" {
algorithm hmac-md5;
secret "gcNd3eCe87cc3FefDD8e5Z==";
};
On exec of the update script
sh dyn-update.sh 11.22.33.44
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;MYDOMAIN.com. IN SOA
;; UPDATE SECTION:
test.MYDOMAIN.com. 0 ANY ANY
external.test.MYDOMAIN.com. 0 ANY ANY
test.MYDOMAIN.com. 5 IN A 11.22.33.44
external.test.MYDOMAIN.com. 5 IN A 11.22.33.44
test.MYDOMAIN.com. 5 IN TXT "Updated on Tue May 26 08:25:40 PDT 2015"
external.test.MYDOMAIN.com. 5 IN TXT "Updated on Tue May 26 08:25:40 PDT 2015"
update failed: REFUSED
server reload successful
The update's "REFUSED". With log config @ debug verbosity
...
logging {
...
channel loglevel_debug {
syslog; print-category yes; print-severity yes; print-time yes;
severity debug;
};
...
category update-security { loglevel_debug; };
...
logs show only
May 26 08:25:40 brahms named[29655]: 26-May-2015 08:25:40.829 update-security: info: client ::1#56064/key test-key: view internal: signer "test-key" denied
May 26 08:25:40 brahms named[29655]: 26-May-2015 08:25:40.829 update-security: error: client ::1#56064/key test-key: view internal: update 'MYDOMAIN.com/IN' denied
Why is that update being denied? Likely I've misconfigured ... but what?
More information about the bind-users
mailing list