Re: nsupdate reject
@lbutlr wrote: > > If I remove "update-policy local; " the nsupdate works, but it seems > like it should have worked with the update-policy since I was in fact > local to the bind server. The "local" keyword enables server-side support for `nsupdate -l`, which makes dynamic updates really easy to use because you don't have to worry about TSIG keys. (My production primary server pushes zone changes using roughly `nsdiff | nsupdate -l`.) But `update-policy local` actually means something kind of complicated and subtle and what it means changed a bit last year to address some odd edge cases (https://kb.isc.org/docs/aa-01599). I still need to delete some config complication that was a result of this: my primary server zone clauses have: allow-update { !{ !localhost; any; }; key local-ddns; }; which is an alternative spelling of `update policy local` that's slightly safer than the pre-2018 meaning. Tony. -- f.anthony.n.finchhttp://dotat.at/ Lyme Regis to Lands End including the Isles of Scilly: West or southwest 3 or 4, becoming variable 2 or 3 for a time. Smooth or slight becoming moderate in far west. Fog patches overnight. Moderate or good, occasionally very poor overnight. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nsupdate reject
On 20 May 2019, at 20:45, @lbutlr wrote: > > On 20 May 2019, at 16:21, Noel Butler wrote: >> allow-update { key "keyname"; }; > > Ah, no I did not. The instructions I found, as I mentioned in a later post, > were to add grant dons-key. iOS this a change in 9.14, because I did not have > to do this in 9.12? zone "kreme.com" { type master; file "master/kreme.com.signed"; update-policy local; auto-dnssec maintain; allow-update { key "rndc-key"; }; }; gives "'allow-update' is ignored when 'update-policy' is present" when I load the conf file. If I remove "update-policy local; " the nsupdate works, but it seems like it should have worked with the update-policy since I was in fact local to the bind server. -- My little brother got his arm stuck in the microwave. So my mom had to take him to the hospital. My grandma dropped acid this morning, and she freaked out. She hijacked a busload of penguins. So it's sort of a family crisis. Bye! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nsupdate reject
On 20 May 2019, at 16:21, Noel Butler wrote: >allow-update { key "keyname"; }; Ah, no I did not. The instructions I found, as I mentioned in a later post, were to add grant dons-key. iOS this a change in 9.14, because I did not have to do this in 9.12? > and nsLOOKUP ? Just a thinko. -- The hippo of recollection stirred in the muddy waters of the mind. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nsupdate reject
did you allow for it under the zone ? Adding a key as such will not give you global operations zone foo { ... allow-update { key "keyname"; }; ... } and nsLOOKUP ? Its either to early in the morning here and i'm mis-reading what you're doing, or you should be using or at least meant to say, nsUPDATE On 20/05/2019 10:27, @lbutlr wrote: > Trying to update some DNS under a relatively newly installed bin 9.14 with > nsupdate. > > I have a file admin.key that looks basically like this: > key "rndc-key" { > algorithm hmac-sha256; > secret "SECRETSTUFF="; > }; > > This is the same key block that is in named.conf. I am launching NSLOOKUP > with -k admin.key, but when I try to make a change and then "send", I get > "update failed: REFUSED." > > Is this not the key that is wanted? It appears to be the only key I have. Do > I need to change to some different key type for bind 9.14, or am I forgetting > something else. > > I did make some changes to the DNS back in 9/12 several months ago, and I > don't recall having to even provide the key then. -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nsupdate reject
On 19 May 2019, at 18:27, @lbutlr wrote: > This is the same key block that is in named.conf. I am launching NSLOOKUP > with -k admin.key, but when I try to make a change and then "send", I get > "update failed: REFUSED." I found a page that recommended adding a ddns-key and then adding "grant ddns-key zonesub ANY;" to the zone info, but that produces and error "unknown option 'grant'". -- 'You know what the greatest tragedy is in the whole world?' said Ginger, not paying him the least attention. 'It's all the people who never find out what it is they really want to do or what it is they're really good at. It's all the sons who become blacksmiths because their fathers were blacksmiths. It's all the people who could be really fantastic flute players who grow old and die without ever seeing a musical instrument, so they become bad ploughmen instead. It's all the people with talents who never even find out. Maybe they are never born in a time when it is possible to find out.' ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: nsupdate reject
The most obvious thing is to look at the zone and see if that key is included in an allow-update statement for the zone. Bob ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
nsupdate reject
Trying to update some DNS under a relatively newly installed bin 9.14 with nsupdate. I have a file admin.key that looks basically like this: key "rndc-key" { algorithm hmac-sha256; secret "SECRETSTUFF="; }; This is the same key block that is in named.conf. I am launching NSLOOKUP with -k admin.key, but when I try to make a change and then "send", I get "update failed: REFUSED." Is this not the key that is wanted? It appears to be the only key I have. Do I need to change to some different key type for bind 9.14, or am I forgetting something else. I did make some changes to the DNS back in 9/12 several months ago, and I don't recall having to even provide the key then. -- There's a race of men that don't fit in, A race that can't stay still So they break the hearts of kith and kin, And they roam the world at will. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users