nsupdate reject
Tony Finch
dot at dotat.at
Wed May 22 16:08:42 UTC 2019
@lbutlr <kremels at kreme.com> wrote:
>
> If I remove "update-policy local; " the nsupdate works, but it seems
> like it should have worked with the update-policy since I was in fact
> local to the bind server.
The "local" keyword enables server-side support for `nsupdate -l`, which
makes dynamic updates really easy to use because you don't have to worry
about TSIG keys. (My production primary server pushes zone changes using
roughly `nsdiff | nsupdate -l`.)
But `update-policy local` actually means something kind of complicated and
subtle and what it means changed a bit last year to address some odd edge
cases (https://kb.isc.org/docs/aa-01599). I still need to delete some
config complication that was a result of this: my primary server zone
clauses have:
allow-update { !{ !localhost; any; }; key local-ddns; };
which is an alternative spelling of `update policy local` that's slightly
safer than the pre-2018 meaning.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Lyme Regis to Lands End including the Isles of Scilly: West or southwest 3 or
4, becoming variable 2 or 3 for a time. Smooth or slight becoming moderate in
far west. Fog patches overnight. Moderate or good, occasionally very poor
overnight.
More information about the bind-users
mailing list