Currently we have (for our Master zone) a list of IPs that can update our DNS master using the allow-update statement:
zone "redacted.ac.nz" { type master; allow-update { ::1; 127.0.0.1; 131.123.103.2; 131.123.88.3; ... } We are wanting to transition to the more modern update-policy statement (because we want to make use of keys), but as a transition step we would like our existing whitelisted IPs to be included. We have tried the following: zone "redacted.ac.nz" { type master; update-policy { grant ::1 zonesub ANY; grant 127.0.0.1 zonesub ANY; grant 131.123.103.2 zonesub ANY; grant 131.123.88.3 zonesub ANY; ... } } But all operations from the whitelisted IPs result in the following: update 'assey.ac.nz/IN' denied If we roll back to the "allow-update" statement block, everything starts working again. Could someone please advise whether update-policy allows IPs (there are some sources on the net that suggest it should be able to accept IPs and/or FQDN addresses - for example http://pig.made-it.com/ddns.html) ? If the statement does allow it, how can we go about troubleshooting ? We have already tried starting named in the foreground with -d 10, but don't get anything useful (just update 'assey.ac.nz/IN' denied) With Thanks in Advance Patrick -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users