I was obviously especially tired yesterday when I tested this. Anyway BIND was chroot'd and user wasn't.
(slaps forehead) Problem solved. On 30/06/10 6:07 PM, "Kal Feher" <kalman.fe...@melbourneit.com.au> wrote: > > > > On 30/06/10 5:25 PM, "Alan Clegg" <acl...@isc.org> wrote: > >> On 6/30/2010 11:13 AM, Kalman Feher wrote: >>> While testing bind 9.7.1 features including automated signing and >>> update-policy local. I encountered some strange behaviour using nsupdate -l. >>> >>> When using nsupdate -l I was not able to update the zone in question and the >>> following error was generated: >>> update-security: error: client 127.0.0.1#9292: view internal: update >>> 'star/IN' denied >> >>> Any suggestions? >> >> Send your named.conf > Named.conf: > > acl "xfer" { > > "none"; > }; > acl "trusted" { > 127.0.0.0/8; > ::1/128; > 10.115.160.0/22; > }; > options { > directory "/var/bind"; > pid-file "/var/run/named/named.pid"; > bindkeys-file "/etc/bind/bind.keys"; > listen-on-v6 { none; }; > listen-on port 53 { any; }; > allow-query { > trusted; > }; > allow-query-cache { > trusted; > }; > allow-transfer { > xfer; > }; > dnssec-enable yes; > > }; > logging { > channel default_log { > file "/var/log/named/named.log" versions 5 size 50M; > print-time yes; > print-severity yes; > print-category yes; > }; > channel query_log { > file "/var/log/named/query.log" versions 5 size 100M; > print-time yes; > print-severity yes; > print-category yes; > }; > channel dnssec_log { > file "/var/log/named/dnssec.log" versions 5 size 100M; > print-time yes; > print-severity yes; > print-category yes; > }; > channel resolver_log { > file "/var/log/named/resolver.log" versions 5 size 50M; > print-time yes; > print-severity yes; > print-category yes; > }; > category default { default_log; }; > category general { default_log; default_syslog; }; > category queries { query_log; }; > category dnssec { dnssec_log; }; > category resolver { resolver_log; }; > }; > include "/etc/bind/rndc.key"; > controls { > inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { > "rndc-key"; }; > }; > view "internal" in { > match-clients { trusted; }; > recursion yes; > additional-from-auth yes; > additional-from-cache yes; > > zone "." in { > type hint; > file "/var/bind/root.cache"; > }; > zone "localhost" IN { > type master; > file "pri/localhost.zone"; > allow-update { none; }; > notify no; > allow-query { any; }; > allow-transfer { none; }; > }; > > zone "127.in-addr.arpa" IN { > type master; > file "pri/127.zone"; > allow-update { none; }; > notify no; > allow-query { any; }; > allow-transfer { none; }; > }; > > zone "star" IN { > type master; > auto-dnssec maintain; > update-policy local; > dnssec-secure-to-insecure no; > file "pri/star/star.zone.signed"; > key-directory "pri/star"; > notify no; > allow-query { any; }; > allow-transfer { none; }; > }; > zone "COM" { type delegation-only; }; > zone "NET" { type delegation-only; }; > }; > > view "public" in { > > match-clients { any; }; > recursion no; > additional-from-auth no; > additional-from-cache no; > > zone "." in { > type hint; > file "/var/bind/root.cache"; > }; > > }; > view "chaos" chaos { > match-clients { any; }; > allow-query { none; }; > zone "." { > type hint; > file "/dev/null"; }; > }; > >> >> AlanC >> >> _______________________________________________ >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users -- Kal Feher _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users