BIND rejecting key to update a zone
Michał Kępień
michal at isc.org
Mon Jun 4 08:58:59 UTC 2018
Hi Mark,
> Jun 1 20:19:34 rpz0 named[30999]: client 127.0.0.1#64585/key
> dns-update: signer "dns-update" denied
> Jun 1 20:19:34 rpz0 named[30999]: client 127.0.0.1#64585/key
> dns-update: update 'test.rpz/IN' denied
>
> What am I missing here?
Interesting, you do not seem to be missing anything: this works as
expected for me (i.e. the update is allowed) on a fresh Debian 9 VM.
AFAICT without looking at your entire configuration, in order for both
of the log messages you quoted to be generated, named would need to
recognize the key used for signing the request (otherwise you would get
a BADKEY response), but not allow it to update the relevant zone.
Perhaps a long shot, but is there any chance there are non-ASCII
characters in your configuration file, like some Unicode variant of the
hyphen character (‐, ‑, ‒, etc.)? If not, could you please bump the
debug level to at least 3, retry, and paste the log messages generated?
Please also feel free to open an issue at https://gitlab.isc.org.
--
Best regards,
Michał Kępień
More information about the bind-users
mailing list