Dynamic update rejected within a view

Per Weisteen perw at compute-it.no
Tue Jul 14 13:05:45 UTC 2020 

Hi

I've a BIND setup with my ISP with two views, one external and one 
internal. At the same time I also need to be able to do a dynamic update 
from some addresses within the internal range. This worked ok before I 
had to define my two views.

I'd be very grateful if someone could suggest what I'm doing wrong. My 
ISP is running BIND 9.11.4.

  Due to the ISPs need to have control over the BIND setup I'm just 
allowed to add my config via include files.


Zones.mydomains.config file contains:

include "keys/mydomains-keys.conf";

include "keys/zone1-keys.conf";

include "keys/zone2-keys.conf";

acl external { 10.222.33.0/18; 10.222.44.0/18; };

acl internal { 10.11.0.0/16; 10.12.0.0/16; };

//////

// zone1 and zone2 keys used to ensure correct zone transfer from slave

//////

view "external-sites" {

     match-clients { !key zone2.key; key zone1.key; external; };

zone "aa.example.net" {

type master;

         file "zones.master/aa-view1.example.net";

         notify explicit;

         also-notify { 10.12.143.56 key zone1.key; };

         update-policy {

                 grant "ext-update.key." name web.aa.example.net. CNAME;

         };

     };

     include "zones.common.config.view1";

}; // End view "external-sites"

view "internal-sites" {

     match-clients { !key zone1.key; key zone2.key; internal; localhost; };

     zone "aa.example.net" {

         type master;

         file "zones.master/aa-view2.example.net";

         notify explicit;

         also-notify { 10.12.143.56 key zone2.key; };

         update-policy {

                 grant "int-update.key." name web.aa.example.net. CNAME;

         };

     };

     include "zones.common.config.view2";

}; // End view "grus-zone2"

view "default" {

     match-clients { any; };

     include "zones.common.config.view2";

}; // End view "default"

mydomains-keys.conf  file contains :

key ext-update.key. {

algorithm HMAC-SHA512;

secret "secret2";

};

key int-update.key. {

algorithm HMAC-SHA512;

secret "secret3";

};

Error message in /var/log/named/named.log is :


10-Jul-2020 13:27:14.695 update: info: client @0x7f0a200a9b30 
10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone 
'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)

10-Jul-2020 13:28:13.883 update: info: client @0x7f0a200a9b30 
10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone 
'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)


-- 
Best regards,
Per Weisteen


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200714/720f2254/attachment.htm>

More information about the bind-users mailing list