Hi,
On Thu, Feb 21, 2013 at 10:05:11AM -0500, John Reuning wrote:
> Thanks again for the help. "allow-2136-from=" seems to clear the
> ACLs, and key-only auth works great.
Can you share your configuration? If i do 'allow-2136-from=' in my
configuration without entries in domainmetadata, all i get is refused and that
is actually how i intended it to be :-)
> In case anyone is interested, nsupdate works with either a bind-style
> key config file (the -k option) or a key section in the nsupdate input
> to powerdns. One difference seems to be that bind accepts updates
> without the zone section. Powerdns refuses updates without it. I
> don't mind the requirement. The spec has an RRset requirement but is
> vague on whether a zone section must be present or not.
Interesting. Which version of bind/nsupdate are you using?
Leaving the 'zone' out on my end works fine:
[17:04:51] cyclops@prof-x:~/dev/powerdns$ nsupdate <<!
server 127.0.0.3 5300
update add pietje.test.dyndns 600 A 1.1.1.1
send
answer
!
Answer:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 63844
;; flags: qr aa; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;test.dyndns. IN SOA
Regards,
Ruben
> -John
>
> On Thu, Feb 21, 2013 at 2:37 AM, Ruben d'Arco <cycl...@prof-x.net> wrote:
> > Hi John,
> >
> > Indeed, you need to enable it. You might want to go into the pdns source
> > folder $source/pdns/docs and type 'make'.
> > This will create/build the documentation. There's a chapter on rfc2136 :-)
> >
> > What the docs will tell you is that there is also a global
> > 'allow-2136-from' setting that allows you to filter who is able to send
> > updates.
> > The default is 0.0.0.0/0 which is everybody, so be aware of that!
> > You can also use ALLOW-2136-FROM and/or TSIG-ALLOW-2136 in the
> > domainmetadata table.
> >
> > Happy rfc2136'ing ;-)
> >
> > Regards,
> > Ruben
> >
> > On Wed, Feb 20, 2013 at 06:36:13PM -0500, John Reuning wrote:
> >> Nevermind. 30 seconds after I sent the last email, I realized there
> >> may be a config option to turn it on. 30 seconds after that, I found
> >> experimental-rfc2136 in the code. nsupdate is very happy now.
> >>
> >> Thanks,
> >>
> >> -John
> >>
> >> On Wed, Feb 20, 2013 at 6:30 PM, John Reuning <j...@ibiblio.org> wrote:
> >> > Ruben,
> >> >
> >> > The rfc2136 branch builds and seems to run with normal functionality.
> >> > However, zone changes submitted via nsupdate result in a REFUSED
> >> > error. I tried setting loglevel=9 but don't see any debug output.
> >> > Does your implementation work with nsupdate?
> >> >
> >> > Thanks,
> >> >
> >> > -John
_______________________________________________
Pdns-dev mailing list
Pdns-dev@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-dev
