key-restricted nsupdate of internal view's zone's host REFUSED with 'signer "<key>" denied' ?

Tue May 26 21:32:28 UTC 2015

You can't update multiple views with a single update message.  Use
two update commands.  The update is being processed by the first
view and the policy in the internal zone doesn't allow you to update
*every* record you are attempting to update so the whole update is
refused.

Also use two different keys for internal and external.  You currently
can only update the internal view as the key is common to both views
and you are using it in match-clients to select which view is
matched.

match-clients { !key external ; key internal ; ... };

match-clients { !key internal ; key external ; ... };

Mark

In message <1432655713.2057519.278447305.2152C805 at webmail.messagingengine.com>
, PGNd writes:
> I run
> 
> 	named -v
> 		BIND 9.10.2
> 
> in split-horizon mode with two views
> 
> 	view "internal" {
> 	view "external" {
> 
> For a single zone
> 
> 	MYDOMAIN.com
> 
> I'm targeting two hostnames in the zone
> 
> 	               test.MYDOMAIN.com
> 	      external.test.MYDOMAIN.com
> 
> for dynamic updates.  At any given time, the A records should return
> 
> 	view=internal:
> 		dig A test.MYDOMAIN.com +short
> 			A.B.C.D
> 		dig A external.test.MYDOMAIN.com +short
> 			10.1.1.14
> 
> 	view=external:
> 		dig A test.MYDOMAIN.com +short
> 			A.B.C.D
> 		dig A external.test.MYDOMAIN.com +short
> 			A.B.C.D
> 
> I want to dynamically update A.B.C.D, using 'nsupdate'.  I.e., I'll update
> 
> 	internal: external.test.MYDOMAIN.com
> 	external:          test.MYDOMAIN.com
> 	external: external.test.MYDOMAIN.com
> 
> In my dns conf
> 
> 	cat named.conf
> 		...
> 		acl presgrp_internal { localhost; 10.1.1.0/24; 2001:xxx:xxxx:x
> xx::/64; };
> 		...
> 		view "internal" {
> 		  match-clients { key test-key; presgrp_internal; };
> 		...
> 		  zone "MYDOMAIN.com" {
> 		    type master; file "/namedb/master/internal.MYDOMAIN.com.zo
> ne";
> 		    update-policy {  
> 		      grant brahms-rndc-key zonesub ANY;  
> 		      grant test-key name external.test.MYDOMAIN.com ANY;
> 		    };
> 		  };
> 		...
> 		view "external" {    
> 		  match-clients { key test-key; any; };
> 		...
> 		  zone "MYDOMAIN.com" IN {
> 		    type master; file "/namedb/master/MYDOMAIN.com.zone";
> 		    update-policy {
> 		      grant test-key name          test.MYDOMAIN.com ANY;
> 		      grant test-key name external.test.MYDOMAIN.com ANY;
> 		    };
> 		  };
> 		...
> 
> I have an update script 
> 
> 	cat dyn-update.sh
> 		#!/bin/sh
> 		IP=$1
> 
> 		NSUPDATE="/usr/local/bind9/bin/nsupdate"
> 		RNDC="/usr/local/bind9/sbin/rndc"
> 		KEYFILE="/usr/local/etc/named/keys/test.rndc.key"
> 
> 		SERVER="2001:xxx:xxxx:xxx::100"
> 		ZONE="MYDOMAIN.com"
> 		HOST="test"
> 
> 		cat <<EOF | ${NSUPDATE} -k ${KEYFILE} -v
> 		server ${SERVER}
> 		zone ${ZONE}
> 		local ::1
> 		update delete          ${HOST}.${ZONE}. ANY
> 		update delete external.${HOST}.${ZONE}. ANY
> 		update add             ${HOST}.${ZONE}. 5 A ${IP}
> 		update add    external.${HOST}.${ZONE}. 5 A ${IP}
> 		update add             ${HOST}.${ZONE}. 5 TXT "Updated on $(da
> te)"
> 		update add    external.${HOST}.${ZONE}. 5 TXT "Updated on $(da
> te)"
> 		show
> 		send
> 		EOF
> 
> 		${RNDC} reload
> 
> where
> 
> 	cat /usr/local/etc/named/keys/test.rndc.key
> 		key "test-key" {
> 		  algorithm hmac-md5;
> 		  secret "gcNd3eCe87cc3FefDD8e5Z==";
> 		};
> 
> On exec of the update script
> 
> 	sh dyn-update.sh 11.22.33.44
> 		Outgoing update query:
> 		;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> 		;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> 		;; ZONE SECTION:
> 		;MYDOMAIN.com.                 IN      SOA
> 
> 		;; UPDATE SECTION:
> 		test.MYDOMAIN.com. 0       ANY     ANY
> 		external.test.MYDOMAIN.com. 0 ANY  ANY
> 		test.MYDOMAIN.com. 5       IN      A       11.22.33.44
> 		external.test.MYDOMAIN.com. 5 IN   A       11.22.33.44
> 		test.MYDOMAIN.com. 5       IN      TXT     "Updated on Tue May
>  26 08:25:40 PDT 2015"
> 		external.test.MYDOMAIN.com. 5 IN   TXT     "Updated on Tue May
>  26 08:25:40 PDT 2015"
> 
> 		update failed: REFUSED
> 		server reload successful
> 
> The update's "REFUSED".  With log config @ debug verbosity
> 
> 	...
> 	logging {
> 	...
> 	  channel loglevel_debug {
> 	    syslog; print-category yes; print-severity yes; print-time yes;
> 	    severity debug;
> 	  };
> 	...
> 	  category update-security { loglevel_debug;   };
> 	...
> 
> logs show only
> 
> 	May 26 08:25:40 brahms named[29655]: 26-May-2015 08:25:40.829 update-s
> ecurity: info: client ::1#56064/key test-key: view internal: signer "test-ke
> y" denied
> 	May 26 08:25:40 brahms named[29655]: 26-May-2015 08:25:40.829 update-s
> ecurity: error: client ::1#56064/key test-key: view internal: update 'MYDOMA
> IN.com/IN' denied
> 
> Why is that update being denied?  Likely I've misconfigured ... but what?
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscrib
> e from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org