Include the update keys in the view selection. -- Mark Andrews
> On 14 Jul 2020, at 23:06, Per Weisteen <p...@compute-it.no> wrote: > > Hi > > I've a BIND setup with my ISP with two views, one external and one internal. > At the same time I also need to be able to do a dynamic update from some > addresses within the internal range. This worked ok before I had to define my > two views. > > I'd be very grateful if someone could suggest what I'm doing wrong. My ISP is > running BIND 9.11.4. > > Due to the ISPs need to have control over the BIND setup I'm just allowed to > add my config via include files. > > > Zones.mydomains.config file contains: > > > include "keys/mydomains-keys.conf"; > include "keys/zone1-keys.conf"; > include "keys/zone2-keys.conf"; > > acl external { 10.222.33.0/18; 10.222.44.0/18; }; > acl internal { 10.11.0.0/16; 10.12.0.0/16; }; > > ////// > // zone1 and zone2 keys used to ensure correct zone transfer from slave > ////// > > view "external-sites" { > match-clients { !key zone2.key; key zone1.key; external; }; > > zone "aa.example.net" { > type master; > file "zones.master/aa-view1.example.net"; > notify explicit; > also-notify { 10.12.143.56 key zone1.key; }; > update-policy { > grant "ext-update.key." name web.aa.example.net. CNAME; > }; > }; > > include "zones.common.config.view1"; > > }; // End view "external-sites" > > view "internal-sites" { > match-clients { !key zone1.key; key zone2.key; internal; localhost; }; > > zone "aa.example.net" { > type master; > file "zones.master/aa-view2.example.net"; > notify explicit; > also-notify { 10.12.143.56 key zone2.key; }; > update-policy { > grant "int-update.key." name web.aa.example.net. CNAME; > }; > }; > > include "zones.common.config.view2"; > > }; // End view "grus-zone2" > > > > view "default" { > match-clients { any; }; > > include "zones.common.config.view2"; > > }; // End view "default" > > > mydomains-keys.conf file contains : > > > > key ext-update.key. { > algorithm HMAC-SHA512; > secret "secret2"; > }; > > key int-update.key. { > algorithm HMAC-SHA512; > secret "secret3"; > }; > > > Error message in /var/log/named/named.log is : > > > > 10-Jul-2020 13:27:14.695 update: info: client @0x7f0a200a9b30 > 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone > 'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED) > > 10-Jul-2020 13:28:13.883 update: info: client @0x7f0a200a9b30 > 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone > 'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED) > > > > > > -- > Best regards, > Per Weisteen > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users