Hi all,
I'm trying to debug some dynamic update zones (using SIG0 keys) after a
BIND version upgrade, and I'm hoing someone on this list can give advice
on potential root cause or at least suggestions on how to debug ...
The instance has been working perfectly through upgrades until at least
BIND9.18.26, however after upgrading to BIND9.18.33, dynamic updates
from clients using SIG0 KEYS now seem to consistently fail.
The update-policy definition that has reliably worked for many previous
versions and updates until now.
Example zone definition from named.conf:
zone "zenr.io" IN {
type master;
file "dynamic/zenr.io/named.zenr.io";
key-directory "dynamic/zenr.io";
// auto-dnssec maintain;
dnssec-policy "default";
allow-transfer { 138.201.89.108; 2a01:4f8:c17:3dd5::1; };
update-policy {
grant "zenr.io" name zenr.io. ANY;
grant "zenr.io" subdomain zenr.io. ANY;
grant * selfsub . ANY;
};
};
All updates attempted from invoking a previously functional keypair seem
to now
$ dig vortex.zenr.io +short KEY
512 3 15 2MK3KZkUgYQVumU9bhy1KzIZ2FhFQZ8yLP2nFMJRCEQ=
$ cat Kvortex.zenr.io.+015+56161.key
vortex.zenr.io. IN KEY 512 3 15 2MK3KZkUgYQVumU9bhy1KzIZ2FhFQZ8yLP2nFMJRCEQ=
$ nsupdate -k Kvortex.zenr.io.+015+56161 -L 10
01-Sep-2025 07:20:59.381 dns_requestmgr_create
01-Sep-2025 07:20:59.381 dns_requestmgr_create: 0x7fdf4a4acc40
> server ns1.free2air.org
> zone zenr.io
> update add zenr.io 600 TXT "testing dynamic updates"
> send
update failed: REFUSED
Any information on configuration changes that may be required to restore
functionality or info on potential roots causes or further diagnostic
hints would be greatly appreciated.
Thanks & Regards,
Adam.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
