Hi,

I have had a DNS server with a dynamic zone that allows updates running for
a fair number of years. However, I discovered yesterday that this setup no
longer works and I cannot see anything in the documentation that indicates
why. Unfortunately, I did not notice when this broke, so it may have been a
while ago. Here's my setup:

Starting with a plain Ubuntu 24.04 server (also tried with 22.04 as well as
24.04 + the ISC PPA) that has static network configuration and
systemd-resolved disabled plus bind9 package installed.

Config:
/etc/bind/named.conf.options:

options {
   directory "/var/cache/bind";
   dnssec-validation no;
   listen-on { any; };
   listen-on-v6 { none; };
};


/etc/bind/named.conf.local:

zone "dyn.example.com" {
     type primary;
     masterfile-format text;
     check-names ignore;
     file "/var/lib/bind/db.dyn.example.com";
     update-policy {
        grant local-ddns zonesub any;
        grant * self . any;
     };
};


/var/lib/bind/db.dyn.example.com:

$ORIGIN .
$TTL 60
dyn.example.com IN SOA 127.0.0.1. admins.example.com. (2024080306 300 300
604800 60)
 NS 127.0.0.1.


Then I run from the command-line (better run this from an empty directory
or else the wild-cards may pick up the wrong files):

dnssec-keygen -a ECDSAP384SHA384 -n host -K . -T KEY test.dyn.example.com
nsupdate -4l <<<$'update add '"$(sed -e 's/ IN / 60 /' ./*.key)"$'\nsend\n'
nsupdate -k *.private <<<$'server 127.0.0.1\nupdate add test.dyn.example.com.
60 IN A 10.200.20.28\nsend\n'


The first command generates a key-pair, the second uses the local session
key to add the public key into the zone and the last one is supposed to use
the newly added key to add an address.
It is the last command that fails with "REFUSED" and I cannot figure out
what's wrong. I'm fairly sure nothing has changed on my end and that this
simplified example is a fair representation of what used to work. In any
case, I believe this example *should* work according to the docs.

Any ideas?

Cheers,
Seb
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to