Re: nsupdate TSIG error?

On 2022 Feb 24, at 14:19, @lbutlr wrote: > I am invoking nsupdate with Oh, never mind. Major Brain Fart. -- "Everyone has a photographic Memory, some just don't have film." ~Steven Wright -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC

Re: nsupdate -g always uses master from SOA to form SPN

Use of a hidden primary makes some sense for external (public) DNS, but IMO not for situations where you would want to use GSS-TSIG. So while I would consider this a bug, I don’t think it will be tripped often. BIND does support multiple SPNs on a single server, but you have to change how you

Re: nsupdate and zone files, was Re: Using RNDC to control remote access to my BIND server

Paul Kosinski via bind-users wrote: > A couple of years ago, I tried using nsupdate to modify a dynamic (DHCP) > IP address for my very simple domain. It worked, except that it totally > messed up the organization of the zone file. Since the file only has 44 > active lines (which are organized

Re: nsupdate apparently not working for me. What am I overlooking / doing wrong?

On Wed, 29 Jul 2020, Mark Andrews wrote: Make sure you are using the CORRECT name in the dig query. You used ddns-key.ottawatch.ca instead of ddns-update.ottawatch.ca. Thanks Mark... so tired I didn't see that when staring at it. (Blame grass allergies and terrible heat lately.) Also you

Re: nsupdate apparently not working for me. What am I overlooking / doing wrong?

Make sure you are using the CORRECT name in the dig query. You used ddns-key.ottawatch.ca instead of ddns-update.ottawatch.ca. Also you can delete and add in the same UPDATE operation. Remove the first “send” in nsupdate.script. Also ottawatch.ca has DS records but the zone is not signed. You

Re: nsupdate - adding large/split TXT record (2048 bit DKIM key)

Done: https://gitlab.isc.org/isc-projects/bind9/-/issues/1907 Thanks. > On Jun 1, 2020, at 7:08 AM, Ondřej Surý wrote: > > I think it’s reasonable for nsupdate to do the chunking on itself. Patches > are always welcome, but if you

Re: nsupdate - adding large/split TXT record (2048 bit DKIM key)

> On Jun 1, 2020, at 6:50 AM, Andreas S. Kerber wrote: > > Yeah, I had troubles with those 2048 bit DKIM records too. nsupdate will need > it like this: > > server X.X.X.X > zone ag-trek.de > update add test.ag-trek.de. 86400 IN TXT"v=DKIM1; >

Re: nsupdate - adding large/split TXT record (2048 bit DKIM key)

I think it’s reasonable for nsupdate to do the chunking on itself. Patches are always welcome, but if you can start by creating issue for us, it would be very much welcome. I can’t offer you any timeframe, but at least it won’t get lost. Ondrej -- Ondřej Surý ond...@isc.org > On 1 Jun 2020, at

Re: nsupdate - adding large/split TXT record (2048 bit DKIM key)

On Mon, Jun 01, 2020 at 04:11:43AM -0400, vom513 wrote: > Can anyone point me to an example of how to do this ? I have a script that > rotates my DKIM keys, and uses nsupdate to publish. With 1024 bit - I must > be getting by by the skin of my teeth… > > When I try 2048 bit, the record is

Re: nsupdate: using "wildcard" TTL when removing specific record

TTL is ignored on delete if it present. It is set to 0 when sending. 2.5.4 - Delete An RR From An RRset RRs to be deleted are added to the Update Section. The NAME, TYPE, RDLENGTH and RDATA must match the RR being deleted. TTL must be specified as zero (0) and will otherwise be

Re: Nsupdate and TTL

Mark Andrews wrote: > > On 23 Apr 2020, at 07:20, Evan Hunt wrote: > > > > As far as I can recall, the only way to change a TTL in nsupdate is to > > delete the whole RRset and then add it back in the same transaction: There's actually a standard shortcut for TTL changes which is a consequence

Re: Nsupdate and TTL

> On 23 Apr 2020, at 17:31, Petr Bena wrote: > > Hello, > > From my experience you don't need to delete whole set, I was actually doing > this quite recently and discovered and interesting behavior of BIND server - > last record you add will override the TTL value for a set. > > So if you

Re: Nsupdate and TTL

Hello, From my experience you don't need to delete whole set, I was actually doing this quite recently and discovered and interesting behavior of BIND server - last record you add will override the TTL value for a set. So if you add another NS record to a zone, all existing NS records will

Re: Nsupdate and TTL

> On 23 Apr 2020, at 07:20, Evan Hunt wrote: > > On Wed, Apr 22, 2020 at 03:04:38PM -0600, @lbutlr via bind-users wrote: >> # nsupdate -k /path/to/key >>> zone example.com >>> ttl 3600 >>> send >>> ^d >> >> No errors, but no change in the TTL. > > "ttl 3600" just means "from now on assume I

Re: Nsupdate and TTL

On Wed, Apr 22, 2020 at 03:04:38PM -0600, @lbutlr via bind-users wrote: > # nsupdate -k /path/to/key > > zone example.com > > ttl 3600 > > send > > ^d > > No errors, but no change in the TTL. "ttl 3600" just means "from now on assume I mean ttl 3600 in all the records I send". You didn't

Re: nsupdate with respone-policy zone

Thank you very much, this did the trick. Have a nice day! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org

Re: nsupdate with respone-policy zone

mail-list-us...@materna.de wrote: > > server 127.0.0.1 > debug no > zone testoverride > update add zzz.google.de 604800 A 127.0.0.1 > send The problem is that nsupdate needs fully-qualified domain names - you can't omit the zone name like you can in zone files. So your script needs to be zone

Re: nsupdate reject

@lbutlr wrote: > > If I remove "update-policy local; " the nsupdate works, but it seems > like it should have worked with the update-policy since I was in fact > local to the bind server. The "local" keyword enables server-side support for `nsupdate -l`, which makes dynamic updates really easy

Re: nsupdate reject

On 20 May 2019, at 20:45, @lbutlr wrote: > > On 20 May 2019, at 16:21, Noel Butler wrote: >> allow-update { key "keyname"; }; > > Ah, no I did not. The instructions I found, as I mentioned in a later post, > were to add grant dons-key. iOS this a change in 9.14, because I did not have

Re: nsupdate reject

On 20 May 2019, at 16:21, Noel Butler wrote: >allow-update { key "keyname"; }; Ah, no I did not. The instructions I found, as I mentioned in a later post, were to add grant dons-key. iOS this a change in 9.14, because I did not have to do this in 9.12? > and nsLOOKUP ? Just a thinko.

Re: nsupdate reject

did you allow for it under the zone ? Adding a key as such will not give you global operations zone foo { ... allow-update { key "keyname"; }; ... } and nsLOOKUP ? Its either to early in the morning here and i'm mis-reading what you're doing, or you should be

Re: nsupdate reject

On 19 May 2019, at 18:27, @lbutlr wrote: > This is the same key block that is in named.conf. I am launching NSLOOKUP > with -k admin.key, but when I try to make a change and then "send", I get > "update failed: REFUSED." I found a page that recommended adding a ddns-key and then adding "grant

RE: nsupdate reject

The most obvious thing is to look at the zone and see if that key is included in an allow-update statement for the zone. Bob ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list

Re: nsupdate with RPZ

Well, thanks for the update. Later I managed to resolve it but issue is; since this is RPZ a zone and RR are difference hence I dont think nsupdate would solve my purpose here? Like zone test.update while RR is block.this.domain CNAME wg.test.update. Please correct me if I am wrong. On Wed,

Re: nsupdate with RPZ

On May 22, 2018, at 7:35 PM, Blason R wrote: > Wondering if anyone have a working How-To guide for implementing nsupdate > with RPZ? I mean do we need to configure any specific settings in zone of > Options? A response policy zone is a zone like any other. You would

Re: Nsupdate usage scenario

On 5/4/16, 4:27 PM, "/dev/rob0" wrote: >My personal recommendation: get over the idea of looking at zone >files; use "dig axfr example.com. | less". Let named manage and >serve the DNS data as it will. Comments can be included as

Re: Nsupdate usage scenario

On Wed, May 04, 2016 at 03:17:38PM -0400, Paul Kosinski wrote: > Interesting idea -- it never occurred to me that I could have > separate zone files for sub-domains. Every zone is a subzone of its parent zone. > So, if I had a tiny zone file for "dynamic.example.com" alone, and > a bigger zone

Re: Nsupdate usage scenario

Interesting idea -- it never occurred to me that I could have separate zone files for sub-domains. So, if I had a tiny zone file for "dynamic.example.com" alone, and a bigger zone file for all the other stuff for "example.com", could I be *sure* that nsupdate would *only* modify the tiny file,

Re: Nsupdate usage scenario

Paul Kosinski wrote: > Except for this single dynamic IP address, the zone file is maintained > by hand with a text editor, so rearranging it into an arbitrary order > would make hand maintenance much more difficult. > > If there is a way to have nsupdate preserve the original

Re: Nsupdate usage scenario

On 2 May 2016 at 16:38, wrote: > > > On Mon, May 2, 2016, at 12:15 PM, Jeremy C. Reed wrote: > > What about using a specific zone file just for the purpose of the single > > A record you want to maintain using dynamic updates? > > Well, this is a timely idea for another

Re: Nsupdate usage scenario

On Mon, May 2, 2016, at 12:15 PM, Jeremy C. Reed wrote: > What about using a specific zone file just for the purpose of the single > A record you want to maintain using dynamic updates? Well, this is a timely idea for another issue I've been working on ... Could you expand on this a bit?

Re: Nsupdate usage scenario

Also for the generated master file, have a look at "masterfile-style full;" option. Have a look at the named-compilezone -j with -s full or -s relative so you can compare outputs. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to

Re: Nsupdate usage scenario

What about using a specific zone file just for the purpose of the single A record you want to maintain using dynamic updates? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list

RE: nsupdate and views

If you can't arrange for the source address of the nsupdate to fall within the match-clients of the view, you can always put a TSIG key in the match-clients for the view, and then sign the update with that key. -

Re: nsupdate and views

Subject: Re: nsupdate and views Date: Wed, 18 Mar 2015 14:01:28 +1100 Use different TSIG keys to direct the UPDATE request to the correct view. In message 5508dd86.kc1mmon8e03wtkto%david.co...@gi.alaska.edu, David Covey w rites: Hello all, I don't quite see how to dynamically

Re: nsupdate and views

Use different TSIG keys to direct the UPDATE request to the correct view. In message 5508dd86.kc1mmon8e03wtkto%david.co...@gi.alaska.edu, David Covey w rites: Hello all, I don't quite see how to dynamically manage multiple views of a zone. Specifically I have a zone name with both

Re: nsupdate, semicolon, backslash

In message 5413d5d9.3000...@yahoo.fr, Giuseppe writes: Hello Mark, If I understood, it's a normal comportement to find backslash in TEXT data. More that it is escaped. double quote and back slash must be escaped. semicolon needs to be escaped if the string isn't quoted. In my case, i

Re: nsupdate, semicolon, backslash

In message 54130f2a.9040...@yahoo.fr, Giuseppe writes: Hello, I work with nsupdate for update our domains zones. And I have problem with semicolonin TXT record type. A small example: nsupdate -v update add test1.com 400 TXT hello*;* update add test2.com 400 TXT hello*\;*

Re: nsupdate, semicolon, backslash

Hello Mark, If I understood, it's a normal comportement to find backslash in TEXT data. In my case, i implement DKIM DNS and in master files I have: ;; ANSWER SECTION: google._domainkey.test.com. 1800 IN TXT v=DKIM1\; k=rsa\; p=MIGfMA At this time, it not working. And I was thinking that

Re: nsupdate for default TTL

Hello Feng He, Feng He fen...@nsbeta.info writes: Is there a way to dynamic update the zone's default TTL by nsupdate? A default TTL (example $TTL 3600) is a property of a zone file on disk, it is a control statement read by the BIND name server when loading the zone file. The default TTL is

Re: nsupdate for default TTL

于 2012-12-26 22:12, Carsten Strotmann 写道: Because there is no concept of a default TTL in a loaded zone, you can only change the dedicated TTLs on each individual resource record using the nsupdate tool. Thanks Carsten. Happy new year! ___ Please

Re: nsupdate fails on CNAME but A and PTR goes through

server 127.0.0.1 zone ccnr.biotechnology. update add second 86400 in cname first send update failed: NOTZONE Have you tried specifying qualified names? update add second.ccnr.biotechnology. 86400 in cname first.ccnr.biotechnology. -JP

Re: nsupdate fails on CNAME but A and PTR goes through

sort of a false alarm nsupdate with FQDN(dot) did work!(???) On 17/05/12 12:03, lejeczek wrote: hi everybody when I do: server 127.0.0.1 zone ccnr.biotechnology. update add second 86400 in cname first send update failed: NOTZONE in log I get: May 17 11:59:10 whale named[2910]: debug

Re: nsupdate on a Windows ec2 instance to update dynamic DNS isn't working

On Sat, 08 Oct 2011, Mark Andrews wrote: Make sure that the send line has a end of line. Many windows editors don't add a end of line unlike unix editors that do. that was it. thank you! In message 20111007221843.gq28...@dradis.groknaut.net, kal...@groknaut.net wr ites:

Re: nsupdate on a Windows ec2 instance to update dynamic DNS isn't working

Make sure that the send line has a end of line. Many windows editors don't add a end of line unlike unix editors that do. In message 20111007221843.gq28...@dradis.groknaut.net, kal...@groknaut.net wr ites: hello, i'm trying to update dynamic DNS for my windows ec2 instance by running

Re: nsupdate problem after DNSSEC upgrade

Note: My nsupdate script us an autogenerated file like: if ($_GET['nsupdate'] == 'on') { $tmp_file = tempnam('/tmp', 'tdphp-vserver.'); chmod($tmp_file, 0700); $fh = fopen($tmp_file, 'a'); fwrite($fh, server dns1.tamay-dogan.net\n);

Re: nsupdate problem after DNSSEC

On 01/05/2011 08:09 AM, Michelle Konzack wrote: I have update mydns1 to DNSSEC and now I have two probems... Do you mean you have signed your zone? If so, you are aware that bind requires the zone-signing key to be available in order to perform updates - like this: zone $name { type

Re: nsupdate problem after DNSSEC

Hello Phil Mayers, Am 2011-01-05 09:19:11, hacktest Du folgendes herunter: Do you mean you have signed your zone? Yes If so, you are aware that bind requires the zone-signing key to be available in order to perform updates - like this: zone $name { type master; allow-update { ... };

Re: nsupdate

On Fri, Oct 01, 2010 at 02:58:28PM +0530, rams brames...@gmail.com wrote a message of 240 lines which said: Suppose we have two A records as , These two records have the same {name, class, type} and therefore belong to the same RRset (Resource Record Set). When we update TTL value as below

Re: Nsupdate -l not using session.key

I was obviously especially tired yesterday when I tested this. Anyway BIND was chroot'd and user wasn't. (slaps forehead) Problem solved. On 30/06/10 6:07 PM, Kal Feher kalman.fe...@melbourneit.com.au wrote: On 30/06/10 5:25 PM, Alan Clegg acl...@isc.org wrote: On 6/30/2010 11:13

Re: Nsupdate -l not using session.key

On 6/30/2010 11:13 AM, Kalman Feher wrote: While testing bind 9.7.1 features including automated signing and update-policy local. I encountered some strange behaviour using nsupdate -l. When using nsupdate -l I was not able to update the zone in question and the following error was

Re: Nsupdate -l not using session.key

On 30/06/10 5:25 PM, Alan Clegg acl...@isc.org wrote: On 6/30/2010 11:13 AM, Kalman Feher wrote: While testing bind 9.7.1 features including automated signing and update-policy local. I encountered some strange behaviour using nsupdate -l. When using nsupdate -l I was not able to update

RE: nsupdate and an external database

From the lack of response, I take it that there is no good way to have BIND trigger an external database update (or other action) when it receives a DDNS update. At least not without significantly customizing BIND, similar to what Quadritec / Lucent / Alcatel-Lucent did with QIP. Enhancing

Re: nsupdate delete question

On Apr 30 2009, James M wrote: While invoking nsupdate within a program I notice that trying to delete a nonexistant host does not return an error. That's a result of the way that RFC 2136 defined update operations. Read section 3, and note in particular that errors are never generated in

Re: nsupdate delete question

On Thu, 2009-04-30 at 10:18 -0400, James M wrote: trying to delete a nonexistant host does not return an error. That seems reasonable to me, since the state of the zone file after the transaction is indeed the state which would be expected, had the host been present and

Re: nsupdate ACL based on a key AND ip-subnet

On Fri, 2008-11-14 at 17:35 -0800, Chris Buxton wrote: Use a firewall (with deep packet inspection) to restrict by subnet. Then use the TSIG key in the allow-update statement. Unfortunately, to my knowledge, that's the only way to do this. Wouldn't using a BIND view to restrict by

Re: nsupdate ACL based on a key AND ip-subnet

Actually, to take this a step further, is there any remote possibility to combine this with update-policy as well? I know both questions has been mentioned on the list before with varied answers but I wanted to raise it again since this was finally figured out. /Jonathan On Mon, Nov 17, 2008 at

Re: nsupdate ACL based on a key AND ip-subnet

Yeah it would most likely be a feature request/change. IIRC update-policy cannot be used in congestion with the allow-update statement. Personally I prefer the usage of update-policy as I can assign different business units within my organization to take responsibility for certain records/record

Re: nsupdate ACL based on a key AND ip-subnet

IIRC update-policy cannot be used in congestion with the allow-update statement. My bad--you're right. There's code I'd never noticed before that says allow-update will be ignored if update-policy is set. Whoops. (Oddly, the check only applies when both of them are defined in the zone

Re: nsupdate ACL based on a key AND ip-subnet

Guess I should start digging in the code then :) On Mon, Nov 17, 2008 at 5:59 PM, Evan Hunt [EMAIL PROTECTED] wrote: IIRC update-policy cannot be used in congestion with the allow-update statement. My bad--you're right. There's code I'd never noticed before that says allow-update will be