Ruben, Thanks again for the help. "allow-2136-from=" seems to clear the ACLs, and key-only auth works great.
In case anyone is interested, nsupdate works with either a bind-style key config file (the -k option) or a key section in the nsupdate input to powerdns. One difference seems to be that bind accepts updates without the zone section. Powerdns refuses updates without it. I don't mind the requirement. The spec has an RRset requirement but is vague on whether a zone section must be present or not. -John On Thu, Feb 21, 2013 at 2:37 AM, Ruben d'Arco <cycl...@prof-x.net> wrote: > Hi John, > > Indeed, you need to enable it. You might want to go into the pdns source > folder $source/pdns/docs and type 'make'. > This will create/build the documentation. There's a chapter on rfc2136 :-) > > What the docs will tell you is that there is also a global 'allow-2136-from' > setting that allows you to filter who is able to send updates. > The default is 0.0.0.0/0 which is everybody, so be aware of that! > You can also use ALLOW-2136-FROM and/or TSIG-ALLOW-2136 in the domainmetadata > table. > > Happy rfc2136'ing ;-) > > Regards, > Ruben > > On Wed, Feb 20, 2013 at 06:36:13PM -0500, John Reuning wrote: >> Nevermind. 30 seconds after I sent the last email, I realized there >> may be a config option to turn it on. 30 seconds after that, I found >> experimental-rfc2136 in the code. nsupdate is very happy now. >> >> Thanks, >> >> -John >> >> On Wed, Feb 20, 2013 at 6:30 PM, John Reuning <j...@ibiblio.org> wrote: >> > Ruben, >> > >> > The rfc2136 branch builds and seems to run with normal functionality. >> > However, zone changes submitted via nsupdate result in a REFUSED >> > error. I tried setting loglevel=9 but don't see any debug output. >> > Does your implementation work with nsupdate? >> > >> > Thanks, >> > >> > -John _______________________________________________ Pdns-dev mailing list Pdns-dev@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-dev
