Dynamic update rejected within a view

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Dynamic update rejected within a view

Per Weisteen
Hi

I've a BIND setup with my ISP with two views, one external and one internal. At the same time I also need to be able to do a dynamic update from some addresses within the internal range. This worked ok before I had to define my two views.

I'd be very grateful if someone could suggest what I'm doing wrong. My ISP is running BIND 9.11.4.

 Due to the ISPs need to have control over the BIND setup I'm just allowed to add my config via include files.

 

Zones.mydomains.config file contains:

 

include "keys/mydomains-keys.conf";

include "keys/zone1-keys.conf";

include "keys/zone2-keys.conf";

 

acl external { 10.222.33.0/18; 10.222.44.0/18; };

acl internal { 10.11.0.0/16; 10.12.0.0/16; };

 

//////

// zone1 and zone2 keys used to ensure correct zone transfer from slave

//////

 

view "external-sites" {

    match-clients { !key zone2.key; key zone1.key; external; };

 

    zone "aa.example.net" {

        type master;

        file "zones.master/aa-view1.example.net";

        notify explicit;

        also-notify { 10.12.143.56 key zone1.key; };

        update-policy {

                grant "ext-update.key." name web.aa.example.net. CNAME;

        };

    };

 

    include "zones.common.config.view1";

 

}; // End view "external-sites"

 

view "internal-sites" {

    match-clients { !key zone1.key; key zone2.key; internal; localhost; };

 

    zone "aa.example.net" {

        type master;

        file "zones.master/aa-view2.example.net";

        notify explicit;

        also-notify { 10.12.143.56 key zone2.key; };

        update-policy {

                grant "int-update.key." name web.aa.example.net. CNAME;

        };

    };

 

    include "zones.common.config.view2";

 

}; // End view "grus-zone2"

 

 

 

view "default" {

    match-clients { any; };

 

    include "zones.common.config.view2";

 

}; // End view "default"

 

mydomains-keys.conf  file contains :

 

key ext-update.key. {

    algorithm HMAC-SHA512;

    secret "secret2";

};

 

key int-update.key. {

    algorithm HMAC-SHA512;

    secret "secret3";

};

 

Error message in /var/log/named/named.log is :


10-Jul-2020 13:27:14.695 update: info: client @0x7f0a200a9b30 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone 'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)

10-Jul-2020 13:28:13.883 update: info: client @0x7f0a200a9b30 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone 'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)

 


-- 
Best regards,
Per Weisteen



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Dynamic update rejected within a view

Mark Andrews
Include the update keys in the view selection. 

-- 
Mark Andrews

On 14 Jul 2020, at 23:06, Per Weisteen <[hidden email]> wrote:

 Hi

I've a BIND setup with my ISP with two views, one external and one internal. At the same time I also need to be able to do a dynamic update from some addresses within the internal range. This worked ok before I had to define my two views.

I'd be very grateful if someone could suggest what I'm doing wrong. My ISP is running BIND 9.11.4.

 Due to the ISPs need to have control over the BIND setup I'm just allowed to add my config via include files.

 

Zones.mydomains.config file contains:

 

include "keys/mydomains-keys.conf";

include "keys/zone1-keys.conf";

include "keys/zone2-keys.conf";

 

acl external { 10.222.33.0/18; 10.222.44.0/18; };

acl internal { 10.11.0.0/16; 10.12.0.0/16; };

 

//////

// zone1 and zone2 keys used to ensure correct zone transfer from slave

//////

 

view "external-sites" {

    match-clients { !key zone2.key; key zone1.key; external; };

 

    zone "aa.example.net" {

        type master;

        file "zones.master/aa-view1.example.net";

        notify explicit;

        also-notify { 10.12.143.56 key zone1.key; };

        update-policy {

                grant "ext-update.key." name web.aa.example.net. CNAME;

        };

    };

 

    include "zones.common.config.view1";

 

}; // End view "external-sites"

 

view "internal-sites" {

    match-clients { !key zone1.key; key zone2.key; internal; localhost; };

 

    zone "aa.example.net" {

        type master;

        file "zones.master/aa-view2.example.net";

        notify explicit;

        also-notify { 10.12.143.56 key zone2.key; };

        update-policy {

                grant "int-update.key." name web.aa.example.net. CNAME;

        };

    };

 

    include "zones.common.config.view2";

 

}; // End view "grus-zone2"

 

 

 

view "default" {

    match-clients { any; };

 

    include "zones.common.config.view2";

 

}; // End view "default"

 

mydomains-keys.conf  file contains :

 

key ext-update.key. {

    algorithm HMAC-SHA512;

    secret "secret2";

};

 

key int-update.key. {

    algorithm HMAC-SHA512;

    secret "secret3";

};

 

Error message in /var/log/named/named.log is :


10-Jul-2020 13:27:14.695 update: info: client @0x7f0a200a9b30 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone 'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)

10-Jul-2020 13:28:13.883 update: info: client @0x7f0a200a9b30 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone 'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)

 


-- 
Best regards,
Per Weisteen


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Dynamic update rejected within a view

Sten Carlsen



-- 
Best regards 
Sten Carlsen 


For every problem, there is a solution that
is simple, elegant, and wrong.
HL Mencken


On 14 Jul 2020, at 16.25, Mark Andrews <[hidden email]> wrote:

Include the update keys in the view selection. 

-- 
Mark Andrews

On 14 Jul 2020, at 23:06, Per Weisteen <[hidden email]> wrote:

Zones.mydomains.config file contains:

 

include "keys/mydomains-keys.conf";
include "keys/zone1-keys.conf";
include "keys/zone2-keys.conf";

 

view "external-sites" {
    match-clients { !key zone2.key; key zone1.key; external; };
                                                                                                       -----------------------------

 

    zone "aa.example.net" {
Error message in /var/log/named/named.log is :


10-Jul-2020 13:27:14.695 update: info: client @0x7f0a200a9b30 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone 'pacs.telenor.net/IN': update

                                                                                                                                                                                                -------------------------
Key names do not match.

failed: rejected by secure update (REFUSED)

10-Jul-2020 13:28:13.883 update: info: client @0x7f0a200a9b30 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone 'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)

 


-- 
Best regards,
Per Weisteen


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Dynamic update rejected within a view

程智勇
In reply to this post by Per Weisteen
在 2020年7月14日 +0800 PM9:06,Per Weisteen <[hidden email]>,写道:
Hi

I've a BIND setup with my ISP with two views, one external and one internal. At the same time I also need to be able to do a dynamic update from some addresses within the internal range. This worked ok before I had to define my two views.

I'd be very grateful if someone could suggest what I'm doing wrong. My ISP is running BIND 9.11.4.

 Due to the ISPs need to have control over the BIND setup I'm just allowed to add my config via include files.

 

Zones.mydomains.config file contains:

include "keys/mydomains-keys.conf";

include "keys/zone1-keys.conf";

include "keys/zone2-keys.conf";

acl external { 10.222.33.0/18; 10.222.44.0/18; };

acl internal { 10.11.0.0/16; 10.12.0.0/16; };

//////

// zone1 and zone2 keys used to ensure correct zone transfer from slave

//////

view "external-sites" {

match-clients { !key zone2.key; key zone1.key; external; };

zone "aa.example.net" {

type master;

file "zones.master/aa-view1.example.net";

notify explicit;

also-notify { 10.12.143.56 key zone1.key; };

update-policy {

grant "ext-update.key." name web.aa.example.net. CNAME;

};

};

include "zones.common.config.view1";

}; // End view "external-sites"

view "internal-sites" {

match-clients { !key zone1.key; key zone2.key; internal; localhost; };

zone "aa.example.net" {

type master;

file "zones.master/aa-view2.example.net";

notify explicit;

also-notify { 10.12.143.56 key zone2.key; };

update-policy {

grant "int-update.key." name web.aa.example.net. CNAME;

};

};

include "zones.common.config.view2";

}; // End view "grus-zone2"

view "default" {

match-clients { any; };

include "zones.common.config.view2";

}; // End view "default"

mydomains-keys.conf file contains :

key ext-update.key. {

algorithm HMAC-SHA512;

secret "secret2";

};

key int-update.key. {

algorithm HMAC-SHA512;

secret "secret3";

};

Error message in /var/log/named/named.log is :


10-Jul-2020 13:27:14.695 update: info: client @0x7f0a200a9b30 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone 'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)

10-Jul-2020 13:28:13.883 update: info: client @0x7f0a200a9b30 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone 'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)

  


It seems that you have used a key named arc-zone2.key for updating but only 
allow int-update.key for updating in configuration?

--  
Best regards,
Per Weisteen


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users 

Zhiyong Cheng

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Dynamic update rejected within a view

Per Weisteen
On 14.07.2020 18:11, Zhiyong Cheng wrote:
在 2020年7月14日 +0800 PM9:06,Per Weisteen [hidden email],写道:
Hi

I've a BIND setup with my ISP with two views, one external and one internal. At the same time I also need to be able to do a dynamic update from some addresses within the internal range. This worked ok before I had to define my two views.

I'd be very grateful if someone could suggest what I'm doing wrong. My ISP is running BIND 9.11.4.

 Due to the ISPs need to have control over the BIND setup I'm just allowed to add my config via include files.

 

Zones.mydomains.config file contains:

include "keys/mydomains-keys.conf";

include "keys/zone1-keys.conf";

include "keys/zone2-keys.conf";

acl external { 10.222.33.0/18; 10.222.44.0/18; };

acl internal { 10.11.0.0/16; 10.12.0.0/16; };

//////

// zone1 and zone2 keys used to ensure correct zone transfer from slave

//////

view "external-sites" {

match-clients { !key zone2.key; key zone1.key; external; };

zone "aa.example.net" {

type master;

file "zones.master/aa-view1.example.net";

notify explicit;

also-notify { 10.12.143.56 key zone1.key; };

update-policy {

grant "ext-update.key." name web.aa.example.net. CNAME;

};

};

include "zones.common.config.view1";

}; // End view "external-sites"

view "internal-sites" {

match-clients { !key zone1.key; key zone2.key; internal; localhost; };

zone "aa.example.net" {

type master;

file "zones.master/aa-view2.example.net";

notify explicit;

also-notify { 10.12.143.56 key zone2.key; };

update-policy {

grant "int-update.key." name web.aa.example.net. CNAME;

};

};

include "zones.common.config.view2";

}; // End view "grus-zone2"

view "default" {

match-clients { any; };

include "zones.common.config.view2";

}; // End view "default"

mydomains-keys.conf file contains :

key ext-update.key. {

algorithm HMAC-SHA512;

secret "secret2";

};

key int-update.key. {

algorithm HMAC-SHA512;

secret "secret3";

};

Error message in /var/log/named/named.log is :


10-Jul-2020 13:27:14.695 update: info: client @0x7f0a200a9b30 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone 'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)

10-Jul-2020 13:28:13.883 update: info: client @0x7f0a200a9b30 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone 'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)

  


It seems that you have used a key named arc-zone2.key for updating but only 
allow int-update.key for updating in configuration?

--  
Best regards,
Per Weisteen


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users 

Zhiyong Cheng


Hi

I've managed to paste wrong error messages. The correct was :

10-Jul-2020 13:21:24.571 update: info: client @0x7f09500f432c 10.11.131.23#5175/key int-update.key: view internal-sites: updating zone 'aa.example.net/IN': update failed: rejected by secure update (REFUSED)

10-Jul-2020 13:21:24.759 update: info: client @0x7f09500f432c 10.11.131.23#5175/key int-update.key: view internal-sites: updating zone 'aa.example.net/IN': update failed: rejected by secure update (REFUSED)


I'll try Mark's suggestion.

Per W.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users