Include the update keys in the view selection. 

-- 
Mark Andrews

> On 14 Jul 2020, at 23:06, Per Weisteen <p...@compute-it.no> wrote:
> 
>  Hi
> 
> I've a BIND setup with my ISP with two views, one external and one internal. 
> At the same time I also need to be able to do a dynamic update from some 
> addresses within the internal range. This worked ok before I had to define my 
> two views. 
> 
> I'd be very grateful if someone could suggest what I'm doing wrong. My ISP is 
> running BIND 9.11.4.
> 
>  Due to the ISPs need to have control over the BIND setup I'm just allowed to 
> add my config via include files.
> 
>  
> Zones.mydomains.config file contains:
> 
>  
> include "keys/mydomains-keys.conf";
> include "keys/zone1-keys.conf";
> include "keys/zone2-keys.conf";
>  
> acl external { 10.222.33.0/18; 10.222.44.0/18; };
> acl internal { 10.11.0.0/16; 10.12.0.0/16; };
>  
> //////
> // zone1 and zone2 keys used to ensure correct zone transfer from slave
> //////
>  
> view "external-sites" {
>     match-clients { !key zone2.key; key zone1.key; external; };
>  
>     zone "aa.example.net" {
>         type master;
>         file "zones.master/aa-view1.example.net";
>         notify explicit;
>         also-notify { 10.12.143.56 key zone1.key; };
>         update-policy {
>                 grant "ext-update.key." name web.aa.example.net. CNAME;
>         };
>     };
>  
>     include "zones.common.config.view1";
>  
> }; // End view "external-sites"
>  
> view "internal-sites" {
>     match-clients { !key zone1.key; key zone2.key; internal; localhost; };
>  
>     zone "aa.example.net" {
>         type master;
>         file "zones.master/aa-view2.example.net";
>         notify explicit;
>         also-notify { 10.12.143.56 key zone2.key; };
>         update-policy {
>                 grant "int-update.key." name web.aa.example.net. CNAME;
>         };
>     };
>  
>     include "zones.common.config.view2";
>  
> }; // End view "grus-zone2"
>  
>  
>  
> view "default" {
>     match-clients { any; };
>  
>     include "zones.common.config.view2";
>  
> }; // End view "default"
>  
> 
> mydomains-keys.conf  file contains :
> 
>  
> 
> key ext-update.key. {
>     algorithm HMAC-SHA512;
>     secret "secret2";
> };
>  
> key int-update.key. {
>     algorithm HMAC-SHA512;
>     secret "secret3";
> };
>  
> 
> Error message in /var/log/named/named.log is :
> 
> 
> 
> 10-Jul-2020 13:27:14.695 update: info: client @0x7f0a200a9b30 
> 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone 
> 'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)
> 
> 10-Jul-2020 13:28:13.883 update: info: client @0x7f0a200a9b30 
> 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone 
> 'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)
> 
>  
> 
> 
> 
> -- 
> Best regards,
> Per Weisteen
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to