Re: nsupdate reject
@lbutlr wrote:
>
> If I remove "update-policy local; " the nsupdate works, but it seems
> like it should have worked with the update-policy since I was in fact
> local to the bind server.
The "local" keyword enables server-side support for `nsupdate -l`, which
makes dynamic updates really easy to use because you don't have to worry
about TSIG keys. (My production primary server pushes zone changes using
roughly `nsdiff | nsupdate -l`.)
But `update-policy local` actually means something kind of complicated and
subtle and what it means changed a bit last year to address some odd edge
cases (https://kb.isc.org/docs/aa-01599). I still need to delete some
config complication that was a result of this: my primary server zone
clauses have:
allow-update { !{ !localhost; any; }; key local-ddns; };
which is an alternative spelling of `update policy local` that's slightly
safer than the pre-2018 meaning.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Lyme Regis to Lands End including the Isles of Scilly: West or southwest 3 or
4, becoming variable 2 or 3 for a time. Smooth or slight becoming moderate in
far west. Fog patches overnight. Moderate or good, occasionally very poor
overnight.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: nsupdate reject
On 20 May 2019, at 20:45, @lbutlr wrote:
>
> On 20 May 2019, at 16:21, Noel Butler wrote:
>> allow-update { key "keyname"; };
>
> Ah, no I did not. The instructions I found, as I mentioned in a later post,
> were to add grant dons-key. iOS this a change in 9.14, because I did not have
> to do this in 9.12?
zone "kreme.com" {
type master;
file "master/kreme.com.signed";
update-policy local;
auto-dnssec maintain;
allow-update {
key "rndc-key";
};
};
gives "'allow-update' is ignored when 'update-policy' is present" when I load
the conf file.
If I remove "update-policy local; " the nsupdate works, but it seems like it
should have worked with the update-policy since I was in fact local to the bind
server.
--
My little brother got his arm stuck in the microwave. So my mom had to
take him to the hospital. My grandma dropped acid this morning, and she
freaked out. She hijacked a busload of penguins. So it's sort of a
family crisis. Bye!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: nsupdate reject
On 20 May 2019, at 16:21, Noel Butler wrote:
>allow-update { key "keyname"; };
Ah, no I did not. The instructions I found, as I mentioned in a later post,
were to add grant dons-key. iOS this a change in 9.14, because I did not have
to do this in 9.12?
> and nsLOOKUP ?
Just a thinko.
--
The hippo of recollection stirred in the muddy waters of the mind.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: nsupdate reject
did you allow for it under the zone ? Adding a key as such will not give
you global operations
zone foo {
...
allow-update { key "keyname"; };
...
}
and nsLOOKUP ? Its either to early in the morning here and i'm
mis-reading what you're doing, or you should be using or at least meant
to say, nsUPDATE
On 20/05/2019 10:27, @lbutlr wrote:
> Trying to update some DNS under a relatively newly installed bin 9.14 with
> nsupdate.
>
> I have a file admin.key that looks basically like this:
> key "rndc-key" {
> algorithm hmac-sha256;
> secret "SECRETSTUFF=";
> };
>
> This is the same key block that is in named.conf. I am launching NSLOOKUP
> with -k admin.key, but when I try to make a change and then "send", I get
> "update failed: REFUSED."
>
> Is this not the key that is wanted? It appears to be the only key I have. Do
> I need to change to some different key type for bind 9.14, or am I forgetting
> something else.
>
> I did make some changes to the DNS back in 9/12 several months ago, and I
> don't recall having to even provide the key then.
--
Kind Regards,
Noel Butler
This Email, including any attachments, may contain legally
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents
Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: nsupdate reject
On 19 May 2019, at 18:27, @lbutlr wrote: > This is the same key block that is in named.conf. I am launching NSLOOKUP > with -k admin.key, but when I try to make a change and then "send", I get > "update failed: REFUSED." I found a page that recommended adding a ddns-key and then adding "grant ddns-key zonesub ANY;" to the zone info, but that produces and error "unknown option 'grant'". -- 'You know what the greatest tragedy is in the whole world?' said Ginger, not paying him the least attention. 'It's all the people who never find out what it is they really want to do or what it is they're really good at. It's all the sons who become blacksmiths because their fathers were blacksmiths. It's all the people who could be really fantastic flute players who grow old and die without ever seeing a musical instrument, so they become bad ploughmen instead. It's all the people with talents who never even find out. Maybe they are never born in a time when it is possible to find out.' ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: nsupdate reject
The most obvious thing is to look at the zone and see if that key is included in an allow-update statement for the zone. Bob ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
nsupdate reject
Trying to update some DNS under a relatively newly installed bin 9.14 with
nsupdate.
I have a file admin.key that looks basically like this:
key "rndc-key" {
algorithm hmac-sha256;
secret "SECRETSTUFF=";
};
This is the same key block that is in named.conf. I am launching NSLOOKUP with
-k admin.key, but when I try to make a change and then "send", I get "update
failed: REFUSED."
Is this not the key that is wanted? It appears to be the only key I have. Do I
need to change to some different key type for bind 9.14, or am I forgetting
something else.
I did make some changes to the DNS back in 9/12 several months ago, and I don't
recall having to even provide the key then.
--
There's a race of men that don't fit in, A race that can't stay still So
they break the hearts of kith and kin, And they roam the world at will.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
