Forum: War Ensemble BBS

Dynamic update rejected within a view

From Per Weisteen@perw@compute-it.no to bind-users on Tue Jul 14 15:05:45 2020

From Newsgroup: comp.protocols.dns.bind

This is a multi-part message in MIME format. --------------2B1D28F23ADA0F00519FB163
Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit

Hi

I've a BIND setup with my ISP with two views, one external and one
internal. At the same time I also need to be able to do a dynamic update
from some addresses within the internal range. This worked ok before I
had to define my two views.

I'd be very grateful if someone could suggest what I'm doing wrong. My
ISP is running BIND 9.11.4.

Due to the ISPs need to have control over the BIND setup I'm just
allowed to add my config via include files.

Zones.mydomains.config file contains:

include "keys/mydomains-keys.conf";

include "keys/zone1-keys.conf";

include "keys/zone2-keys.conf";

acl external { 10.222.33.0/18; 10.222.44.0/18; };

acl internal { 10.11.0.0/16; 10.12.0.0/16; };

//////

// zone1 and zone2 keys used to ensure correct zone transfer from slave

//////

view "external-sites" {

 match-clients { !key zone2.key; key zone1.key; external; };

zone "aa.example.net" {

type master;

 file "zones.master/aa-view1.example.net";

 notify explicit;

 also-notify { 10.12.143.56 key zone1.key; };

 update-policy {

 grant "ext-update.key." name web.aa.example.net. CNAME;

 };

 };

 include "zones.common.config.view1";

}; // End view "external-sites"

view "internal-sites" {

 match-clients { !key zone1.key; key zone2.key; internal; localhost; };

 zone "aa.example.net" {

 type master;

 file "zones.master/aa-view2.example.net";

 notify explicit;

 also-notify { 10.12.143.56 key zone2.key; };

 update-policy {

 grant "int-update.key." name web.aa.example.net. CNAME;

 };

 };

 include "zones.common.config.view2";

}; // End view "grus-zone2"

view "default" {

 match-clients { any; };

 include "zones.common.config.view2";

}; // End view "default"

mydomains-keys.conf file contains :

key ext-update.key. {

algorithm HMAC-SHA512;

secret "secret2";

};

key int-update.key. {

algorithm HMAC-SHA512;

secret "secret3";

};

Error message in /var/log/named/named.log is :

10-Jul-2020 13:27:14.695 update: info: client @0x7f0a200a9b30 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone 'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)

10-Jul-2020 13:28:13.883 update: info: client @0x7f0a200a9b30 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone 'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)

--
Best regards,
Per Weisteen

--------------2B1D28F23ADA0F00519FB163
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit

<html>
<head>

<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
Hi 
 
I've a BIND setup with my ISP with two views, one external and one
internal. At the same time I also need to be able to do a dynamic
update from some addresses within the internal range. This worked ok
before I had to define my two views. 
 
I'd be very grateful if someone could suggest what I'm doing wrong.
My ISP is running BIND 9.11.4. 
 
Due to the ISPs need to have control over the BIND setup I'm just
allowed to add my config via include files. 
 
 
Zones.mydomains.config file
contains: 

 
include "keys/mydomains-keys.conf";
include "keys/zone1-keys.conf";
include "keys/zone2-keys.conf";
 
acl external { 10.222.33.0/18; 10.222.44.0/18; };
acl internal { 10.11.0.0/16; 10.12.0.0/16; };
 
//////
// zone1 and zone2 keys used to ensure correct zone
transfer from slave
//////
 
view "external-sites" {
 match-clients { !key zone2.key; key zone1.key;
external; };
 

zone "aa.example.net" {

type master;
 file "zones.master/aa-view1.example.net";
 notify explicit;
 also-notify { 10.12.143.56 key zone1.key;
};
 update-policy {
 grant "ext-update.key." name
web.aa.example.net. CNAME;
 };
 };
 
 include "zones.common.config.view1";
 
}; // End view "external-sites"
 
view "internal-sites" {
 match-clients { !key zone1.key; key zone2.key;
internal; localhost; };
 
 zone "aa.example.net" {
 type master;
 file "zones.master/aa-view2.example.net";
 notify explicit;
 also-notify { 10.12.143.56 key zone2.key;
};
 update-policy {
 grant "int-update.key." name
web.aa.example.net. CNAME;
 };
 };
 
 include "zones.common.config.view2";
 
}; // End view "grus-zone2"
 
 
 
view "default" {
 match-clients { any; };

 
 include "zones.common.config.view2";
 
};
// End view "default"
 
mydomains-keys.conf file contains :
 
key
ext-update.key. {



algorithm HMAC-SHA512;



secret "secret2";


};


 


key
int-update.key. {



algorithm HMAC-SHA512;



secret "secret3";


};


 
Error message in
/var/log/named/named.log is : 

 

10-Jul-2020
13:27:14.695 update: info: client @0x7f0a200a9b30
10.124.15.148#64606/key arc-zone2.key: view grus-zone2:
updating zone 'pacs.telenor.net/IN': update failed: rejected
by secure update (REFUSED)


10-Jul-2020
13:28:13.883 update: info: client @0x7f0a200a9b30
10.124.15.148#64606/key arc-zone2.key: view grus-zone2:
updating zone 'pacs.telenor.net/IN': update failed: rejected
by secure update (REFUSED)


 

 

<pre class="moz-signature" cols="72">--
Best regards,
Per Weisteen

</pre>
</body>
</html>

--------------2B1D28F23ADA0F00519FB163--
--- Synchronet 3.18a-Linux NewsLink 1.113

From Mark Andrews@marka@isc.org to Per Weisteen on Wed Jul 15 00:25:48 2020

From Newsgroup: comp.protocols.dns.bind

--Apple-Mail-E05D45FD-76B5-4EBE-B0A5-A334E9AFFF20
Content-Type: text/plain;
charset=utf-8
Content-Transfer-Encoding: quoted-printable

Include the update keys in the view selection.=20

--=20
Mark Andrews

On 14 Jul 2020, at 23:06, Per Weisteen <perw@compute-it.no> wrote:
=20
=EF=BB=BF Hi
=20
I've a BIND setup with my ISP with two views, one external and one interna=

l. At the same time I also need to be able to do a dynamic update from some a= ddresses within the internal range. This worked ok before I had to define my=
two views.=20

=20
I'd be very grateful if someone could suggest what I'm doing wrong. My ISP=

is running BIND 9.11.4.

=20
Due to the ISPs need to have control over the BIND setup I'm just allowed=

to add my config via include files.

=20
=20
Zones.mydomains.config file contains:
=20
=20
include "keys/mydomains-keys.conf";
include "keys/zone1-keys.conf";
include "keys/zone2-keys.conf";
=20
acl external { 10.222.33.0/18; 10.222.44.0/18; };
acl internal { 10.11.0.0/16; 10.12.0.0/16; };
=20
//////
// zone1 and zone2 keys used to ensure correct zone transfer from slave //////
=20
view "external-sites" {
match-clients { !key zone2.key; key zone1.key; external; };
=20
zone "aa.example.net" {
type master;
file "zones.master/aa-view1.example.net";
notify explicit;
also-notify { 10.12.143.56 key zone1.key; };
update-policy {
grant "ext-update.key." name web.aa.example.net. CNAME;
};
};
=20
include "zones.common.config.view1";
=20
}; // End view "external-sites"
=20
view "internal-sites" {
match-clients { !key zone1.key; key zone2.key; internal; localhost; };=

=20
zone "aa.example.net" {
type master;
file "zones.master/aa-view2.example.net";
notify explicit;
also-notify { 10.12.143.56 key zone2.key; };
update-policy {
grant "int-update.key." name web.aa.example.net. CNAME;
};
};
=20
include "zones.common.config.view2";
=20
}; // End view "grus-zone2"
=20
=20
=20
view "default" {
match-clients { any; };
=20
include "zones.common.config.view2";
=20
}; // End view "default"
=20
=20
mydomains-keys.conf file contains :
=20
=20
=20
key ext-update.key. {
algorithm HMAC-SHA512;
secret "secret2";
};
=20
key int-update.key. {
algorithm HMAC-SHA512;
secret "secret3";
};
=20
=20
Error message in /var/log/named/named.log is :
=20
=20
=20
10-Jul-2020 13:27:14.695 update: info: client @0x7f0a200a9b30 10.124.15.14=

8#64606/key arc-zone2.key: view grus-zone2: updating zone 'pacs.telenor.net/= IN': update failed: rejected by secure update (REFUSED)

=20
10-Jul-2020 13:28:13.883 update: info: client @0x7f0a200a9b30 10.124.15.14=

8#64606/key arc-zone2.key: view grus-zone2: updating zone 'pacs.telenor.net/= IN': update failed: rejected by secure update (REFUSED)

=20
=20
=20
=20
=20
--=20
Best regards,
Per Weisteen
=20
=20
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscr=

ibe from this list

=20
ISC funds the development of this software with paid support subscriptions=

. Contact us at https://www.isc.org/contact/ for more information.

=20
=20
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--Apple-Mail-E05D45FD-76B5-4EBE-B0A5-A334E9AFFF20
Content-Type: text/html;
charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; charset=3D= utf-8"></head><body dir=3D"auto">Include the update keys in the view selecti= on.  <div dir=3D"ltr">-- <div>Mark Andrews</div></div><div d= ir=3D"ltr"> <blockquote type=3D"cite">On 14 Jul 2020, at 23:06, Per Weist= een <perw@compute-it.no> wrote: </blockquote></div><blockquote t= ype=3D"cite"><div dir=3D"ltr">=EF=BB=BF
=20

<meta http-equiv=3D"content-type" content=3D"text/html; charset=3DUTF-8"=

=20
=20
Hi 
 
I've a BIND setup with my ISP with two views, one external and one
internal. At the same time I also need to be able to do a dynamic
update from some addresses within the internal range. This worked ok
before I had to define my two views. 
 
I'd be very grateful if someone could suggest what I'm doing wrong.
My ISP is running BIND 9.11.4. 
 
 Due to the ISPs need to have control over the BIND setup I'm just
allowed to add my config via include files. 
 
  
Zones.mydomains.config file
contains: 

 
include "keys/mydo= mains-keys.conf";
include "keys/zone= 1-keys.conf";
include "keys/zone= 2-keys.conf";
 
acl external { 10.= 222.33.0/18; 10.222.44.0/18; };
acl internal { 10.= 11.0.0/16; 10.12.0.0/16; };
 
//////
// zone1 and zone2=
keys used to ensure correct zone
transfer from slave
//////
 
view "external-sit= es" {
   =
match-clients { !key zone2.key; key zone1.key;
external; };
 
   =

zone "aa.example.net" {
     &nb= sp; 
type master;
   =      file "zones.master/aa-view1.example.net";</p=

   =      notify explicit;
   =      also-notify { 10.12.143.56 key zone1.key;
};
   =      update-policy {
   =              gra= nt "ext-update.key." name
web.aa.example.net. CNAME;
   =      };
   =
};
 
   =
include "zones.common.config.view1";
 
}; // End view "ex= ternal-sites"
 
view "internal-sit= es" {
   =
match-clients { !key zone1.key; key zone2.key;
internal; localhost; };
 
   =
zone "aa.example.net" {
   =      type master;
   =      file "zones.master/aa-view2.example.net";</p=

   =      notify explicit;
   =      also-notify { 10.12.143.56 key zone2.key;
};
   =      update-policy {
   =              gra= nt "int-update.key." name
web.aa.example.net. CNAME;
   =      };
   =
};
 
   =
include "zones.common.config.view2";
 
}; // End view "gr= us-zone2"
 
 
 
view "default" {</= span>
   =
match-clients { any; };

 
   =
include "zones.common.config.view2";
 
};
// End view "default"
 
mydomains-keys.conf  file contains :
 
key
ext-update.key. {


  &nb= sp;
algorithm HMAC-SHA512;


  &nb= sp;
secret "secret2";


};</font= >


 </= font>


key
int-update.key. {


  &nb= sp;
algorithm HMAC-SHA512;


  &nb= sp;
secret "secret3";


};</font= >


 
Error message in
/var/log/named/named.log is : 

 

1= 0-Jul-2020
13:27:14.695 update: info: client @0x7f0a200a9b30
10.124.15.148#64606/key arc-zone2.key: view grus-zone2:
updating zone 'pacs.telenor.net/IN': update failed: rejected
by secure update (REFUSED)


1= 0-Jul-2020
13:28:13.883 update: info: client @0x7f0a200a9b30
10.124.15.148#64606/key arc-zone2.key: view grus-zone2:
updating zone 'pacs.telenor.net/IN': update failed: rejected
by secure update (REFUSED)


&= nbsp;

 

<pre class=3D"moz-signature" cols=3D"72">--=20
Best regards,
Per Weisteen

</pre>
=20

_______________________________________________ Please=
visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from=
this list ISC funds the development of thi=
s software with paid support subscriptions. Contact us at https://www.isc.or= g/contact/ for more information. <br= >bind-users mailing list bind-users@lists.isc.org</spa= n> https://lists.isc.org/mailman/listinfo/bind-users </di= v></blockquote></body></html>=

--Apple-Mail-E05D45FD-76B5-4EBE-B0A5-A334E9AFFF20--
--- Synchronet 3.18a-Linux NewsLink 1.113

From Sten Carlsen@stenc@s-carlsen.dk to Per Weisteen on Tue Jul 14 16:34:48 2020

From Newsgroup: comp.protocols.dns.bind

--Apple-Mail=_41D42D98-FBFA-466E-A421-992C8115660A
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii

--=20
Best regards=20
Sten Carlsen=20

For every problem, there is a solution that
is simple, elegant, and wrong.
HL Mencken

On 14 Jul 2020, at 16.25, Mark Andrews <marka@isc.org> wrote:
=20
Include the update keys in the view selection.=20
=20
--=20
Mark Andrews
=20

On 14 Jul 2020, at 23:06, Per Weisteen <perw@compute-it.no> wrote:
=20
Zones.mydomains.config file contains:
=20
=20
include "keys/mydomains-keys.conf";
include "keys/zone1-keys.conf";
include "keys/zone2-keys.conf";
=20
view "external-sites" {
match-clients { !key zone2.key; key zone1.key; external; };

=
-----------------------------

=20
zone "aa.example.net" {
Error message in /var/log/named/named.log is :
=20
=20
10-Jul-2020 13:27:14.695 update: info: client @0x7f0a200a9b30 = 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone = 'pacs.telenor.net/IN': update
=20

=
=
-------------------------
Key names do not match.

failed: rejected by secure update (REFUSED)
=20
10-Jul-2020 13:28:13.883 update: info: client @0x7f0a200a9b30 = 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone = 'pacs.telenor.net/IN': update failed: rejected by secure update =

(REFUSED)

=20
=20
=20
=20
=20
--=20
Best regards,
Per Weisteen
=20
=20
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to = unsubscribe from this list
=20
ISC funds the development of this software with paid support = subscriptions. Contact us at https://www.isc.org/contact/ for more = information.
=20
=20
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to =

unsubscribe from this list

=20
ISC funds the development of this software with paid support =

subscriptions. Contact us at https://www.isc.org/contact/ for more = information.

=20
=20
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--Apple-Mail=_41D42D98-FBFA-466E-A421-992C8115660A
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=us-ascii

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; = charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; line-break: after-white-space;" class=3D""> 
 <div class=3D"">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; text-align: =
start; text-indent: 0px; text-transform: none; white-space: normal; = word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space;" class=3D""><div style=3D"color: rgb(0, 0, 0); = font-family: Helvetica; font-size: 12px; font-style: normal; = font-variant-caps: normal; font-weight: normal; letter-spacing: normal; = text-align: start; text-indent: 0px; text-transform: none; white-space: = normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" = class=3D"">--  Best regards  Sten = Carlsen  For every =
problem, there is a solution that is simple, elegant, and = wrong.</div><div style=3D"color: rgb(0, 0, 0); font-family: Helvetica; = font-size: 12px; font-style: normal; font-variant-caps: normal; =
font-weight: normal; letter-spacing: normal; text-align: start; =
text-indent: 0px; text-transform: none; white-space: normal; =
word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=3D"">HL =
Mencken </div></div>
</div>

<div> <blockquote type=3D"cite" class=3D""><div =
class=3D"">On 14 Jul 2020, at 16.25, Mark Andrews <<a = href=3D"mailto:marka@isc.org" class=3D"">marka@isc.org</a>> = wrote:</div> <div class=3D""><meta = http-equiv=3D"content-type" content=3D"text/html; charset=3Dutf-8" = class=3D""><div dir=3D"auto" class=3D"">Include the update keys in the =
view selection.  <div dir=3D"ltr" = class=3D"">-- <div class=3D"">Mark Andrews</div></div><div =
dir=3D"ltr" class=3D""> <blockquote type=3D"cite" =
class=3D"">On 14 Jul 2020, at 23:06, Per Weisteen <<a = href=3D"mailto:perw@compute-it.no" class=3D"">perw@compute-it.no</a>> = wrote: </blockquote></div><blockquote = type=3D"cite" class=3D""><div dir=3D"ltr" class=3D"">Zones.mydomains.config=
file
contains: 
 <div =
style=3D"margin: 0cm 0cm 0.0001pt;" class=3D"">include = "keys/mydomains-keys.conf";</div><div style=3D"margin: 0cm 0cm = 0.0001pt;" class=3D"">include = "keys/zone1-keys.conf";</div></div></blockquote></div></div></block= quote><blockquote type=3D"cite" class=3D""><div dir=3D"auto" = class=3D""><blockquote type=3D"cite" class=3D""><div dir=3D"ltr" = class=3D""><div style=3D"margin: 0cm 0cm 0.0001pt;" class=3D"">include "keys/zone2-keys.conf";</div> <div style=3D"margin: 0cm 0cm = 0.0001pt;" class=3D"">view "external-sites" = {</div><div style=3D"margin: 0cm 0cm 0.0001pt;" class=3D"">    match-clients { !key =
zone2.key; key zone1.key;
external; =
};</div></div></blockquote></div></blockquote>    =
                    =
                    =
                    =
                    =
                  =  -----------------------------</div><div><blockquote type=3D"cite" = class=3D""><div class=3D""><div dir=3D"auto" class=3D""><blockquote = type=3D"cite" class=3D""><div dir=3D"ltr" class=3D""> <div style=3D"margin: 0cm 0cm = 0.0001pt;" class=3D"">   
zone "<a href=3D"http://aa.example.net" = class=3D"">aa.example.net</a>" {</div><div style=3D"margin: 0cm =
0cm 0.0001pt;" class=3D"">Error message in
/var/log/named/named.log is :</div> 
<span=
lang=3D"EN-US" class=3D"">10-Jul-2020
13:27:14.695 update: info: client @0x7f0a200a9b30
10.124.15.148#64606/key arc-zone2.key: view grus-zone2:
updating zone '<a href=3D"http://pacs.telenor.net/IN':" = class=3D"">pacs.telenor.net/IN':</a> update = </div></blockquote></div></div></blockquote>  =
                    =
                    =
                    =
                    =
                    =
                    =
                    =
                    =
                    =
          =
-------------------------</div><div>Key names do not match. <blockquote type=3D"cite" class=3D""><div class=3D""><div = dir=3D"auto" class=3D""><blockquote type=3D"cite" class=3D""><div =
dir=3D"ltr" class=3D"">failed: rejected
by secure update (REFUSED)

10-Jul-2020
13:28:13.883 update: info: client @0x7f0a200a9b30
10.124.15.148#64606/key arc-zone2.key: view grus-zone2:
updating zone '<a href=3D"http://pacs.telenor.net/IN':" = class=3D"">pacs.telenor.net/IN':</a> update failed: rejected
by secure update (REFUSED)

<div class=3D"">  </div><div class=3D""> </div> 

<pre class=3D"moz-signature" cols=3D"72">--=20
Best regards,
Per Weisteen

</pre>
=20

_______________________________________________<br=
class=3D"">Please visit <a = href=3D"https://lists.isc.org/mailman/listinfo/bind-users" = class=3D"">https://lists.isc.org/mailman/listinfo/bind-users</a> to = unsubscribe from this list ISC funds the =
development of this software with paid support subscriptions. Contact us =
at <a href=3D"https://www.isc.org/contact/" = class=3D"">https://www.isc.org/contact/</a> for more =
information. bind-users mailing list <a href=3D"mailto:bind-users@lists.isc.org" = class=3D"">bind-users@lists.isc.org</a> <a href=3D"https://lists.isc.org/mailman/listinfo/bind-users" = class=3D"">https://lists.isc.org/mailman/listinfo/bind-users</a><br=
=
class=3D""></div></blockquote></div>______________________________________= _________ Please visit <a = href=3D"https://lists.isc.org/mailman/listinfo/bind-users" = class=3D"">https://lists.isc.org/mailman/listinfo/bind-users</a> to = unsubscribe from this list ISC funds the = development of this software with paid support subscriptions. Contact us =
at <a href=3D"https://www.isc.org/contact/" = class=3D"">https://www.isc.org/contact/</a> for more information. bind-users mailing list <a href=3D"mailto:bind-users@lists.isc.org" = class=3D"">bind-users@lists.isc.org</a> https://lists.isc.org/mailman/listinfo/bind-users </div></blockquote></div> </body></html>=

--Apple-Mail=_41D42D98-FBFA-466E-A421-992C8115660A--
--- Synchronet 3.18a-Linux NewsLink 1.113

From Zhiyong Cheng@chengzhycn@gmail.com to bind-users@lists.isc.org, Per Weisteen on Wed Jul 15 00:11:15 2020

From Newsgroup: comp.protocols.dns.bind

--5f0dd95e_74de0ee3_17b03
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

=E5=9C=A8 2020=E5=B9=B47=E6=9C=8814=E6=97=A5 +0800 PM9:06=EF=BC=8CPer Wei= steen <perw=40compute-it.no>=EF=BC=8C=E5=86=99=E9=81=93=EF=BC=9A

Hi

I've a BIND setup with my ISP with two views, one external and one inte=

rnal. At the same time I also need to be able to do a dynamic update from=
some addresses within the internal range. This worked ok before I had to=
define my two views.

I'd be very grateful if someone could suggest what I'm doing wrong. My =

ISP is running BIND 9.11.4.

=C2=A0Due to the ISPs need to have control over the BIND setup I'm just=

allowed to add my config via include files.

Zones.mydomains.config file contains:
include =22keys/mydomains-keys.conf=22;
include =22keys/zone1-keys.conf=22;
include =22keys/zone2-keys.conf=22;
acl external =7B 10.222.33.0/18; 10.222.44.0/18; =7D;
acl internal =7B 10.11.0.0/16; 10.12.0.0/16; =7D;
//////
// zone1 and zone2 keys used to ensure correct zone transfer from slave=

//////
view =22external-sites=22 =7B
match-clients =7B =21key zone2.key; key zone1.key; external; =7D;
zone =22aa.example.net=22 =7B
type master;
file =22zones.master/aa-view1.example.net=22;
notify explicit;
also-notify =7B 10.12.143.56 key zone1.key; =7D;
update-policy =7B
grant =22ext-update.key.=22 name web.aa.example.net. CNAME;
=7D;
=7D;
include =22zones.common.config.view1=22;
=7D; // End view =22external-sites=22
view =22internal-sites=22 =7B
match-clients =7B =21key zone1.key; key zone2.key; internal; localhost;=

=7D;

zone =22aa.example.net=22 =7B
type master;
file =22zones.master/aa-view2.example.net=22;
notify explicit;
also-notify =7B 10.12.143.56 key zone2.key; =7D;
update-policy =7B
grant =22int-update.key.=22 name web.aa.example.net. CNAME;
=7D;
=7D;
include =22zones.common.config.view2=22;
=7D; // End view =22grus-zone2=22
view =22default=22 =7B
match-clients =7B any; =7D;
include =22zones.common.config.view2=22;
=7D; // End view =22default=22
mydomains-keys.conf file contains :
key ext-update.key. =7B
algorithm HMAC-SHA512;
secret =22secret2=22;
=7D;
key int-update.key. =7B
algorithm HMAC-SHA512;
secret =22secret3=22;
=7D;
Error message in /var/log/named/named.log is :

10-Jul-2020 13:27:14.695 update: info: client =400x7f0a200a9b30 10.124.=

15.148=2364606/key arc-zone2.key: view grus-zone2: updating zone 'pacs.te= lenor.net/IN': update failed: rejected by secure update (RE=46USED)

10-Jul-2020 13:28:13.883 update: info: client =400x7f0a200a9b30 10.124.=

15.148=2364606/key arc-zone2.key: view grus-zone2: updating zone 'pacs.te= lenor.net/IN': update failed: rejected by secure update (RE=46USED)

It seems that you have used a key named arc-zone2.key for updating but on=
ly
allow int-update.key for updating in configuration=3F

--
Best regards,
Per Weisteen

=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=

=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsub=

scribe from this list

ISC funds the development of this software with paid support subscripti=

ons. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users=40lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Zhiyong Cheng

--5f0dd95e_74de0ee3_17b03
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<html xmlns=3D=22http://www.w3.org/1999/xhtml=22>
<head>
<title></title>
</head>
<body>
<div name=3D=22messageReplySection=22>=E5=9C=A8 2020=E5=B9=B47=E6=9C=8814= =E6=97=A5 +0800 PM9:06=EF=BC=8CPer Weisteen <perw=40compute-it.no>=EF= =BC=8C=E5=86=99=E9=81=93=EF=BC=9A 
<blockquote type=3D=22cite=22 style=3D=22border-left-color:=231abc9c; mar= gin:5px 5px; padding-left:10px; border-left-width:thin; border-left-style= :solid;=22>Hi 
 
I've a BIND setup with my ISP with two views, one external and one intern=
al. At the same time I also need to be able to do a dynamic update from s=
ome addresses within the internal range. This worked ok before I had to d= efine my two views. 
 
I'd be very grateful if someone could suggest what I'm doing wrong. My IS=
P is running BIND 9.11.4. 
 
&=23160;Due to the ISPs need to have control over the BIND setup I'm just=
allowed to add my config via include files. 
 
&=23160; 
Zones.mydomains.config file contains: 

include =22keys/mydomains-keys.conf=22;
include =22keys/zone1-keys.conf=22;
include =22keys/zone2-keys.conf=22;

acl external =7B 10.222.33.0/18; 10.222.44.0/18; =7D;<= /span>
acl internal =7B 10.11.0.0/16; 10.12.0.0/16; =7D;</spa= n>

//////
// zone1 and zone2 keys used to ensure correct zone tr= ansfer from slave
//////

view =22external-sites=22 =7B
match-clients =7B =21key zone2.key; key zone1.key; ext= ernal; =7D;

 zone =22aa.example.net=22 =7B
type master;=

file =22zones.master/aa-view1.example.net=22;</=

notify explicit;
also-notify =7B 10.12.143.56 key zone1.key; =7D;</span= >
update-policy =7B
grant =22ext-update.key.=22 name web.aa.example.net. C= NAME;
=7D;
=7D;

include =22zones.common.config.view1=22;

=7D; // End view =22external-sites=22

view =22internal-sites=22 =7B
match-clients =7B =21key zone1.key; key zone2.key; int= ernal; localhost; =7D;

zone =22aa.example.net=22 =7B
type master;
file =22zones.master/aa-view2.example.net=22;</=

notify explicit;
also-notify =7B 10.12.143.56 key zone2.key; =7D;</span= >
update-policy =7B
grant =22int-update.key.=22 name web.aa.example.net. C= NAME;
=7D;
=7D;

include =22zones.common.config.view2=22;

=7D; // End view =22grus-zone2=22



view =22default=22 =7B
match-clients =7B any; =7D;

include =22zones.common.config.view2=22;

=7D; // End view =22def= ault=22

mydomains-keys.conf file contains :

key ext-update.key. =7B

algorithm HMAC-SHA512;

secret =22secret2=22;

=7D;



key int-update.key. =7B

algorithm HMAC-SHA512;

secret =22secret3=22;

=7D;


Error message in /var/log/named/named.log is : 
 
10-Jul-2020 13:27:14.695 update: info: cl=
ient =400x7f0a200a9b30 10.124.15.148=2364606/key arc-zone2.key: view grus= -zone2: updating zone 'pacs.telenor.net/IN': update failed: rejected by s= ecure update (RE=46USED)

10-Jul-2020 13:28:13.883 update: info: cl=
ient =400x7f0a200a9b30 10.124.15.148=2364606/key arc-zone2.key: view grus= -zone2: updating zone 'pacs.telenor.net/IN': update failed: rejected by s= ecure update (RE=46USED)



&=23160;&=23160;
</blockquote>
<div> </div>
<div>It seems that you have used a key named arc-zone2.key for updating b=
ut only&=23160;</div>
<div>allow int-update.key for updating in configuration=3F</div>
<div> </div>
<blockquote type=3D=22cite=22 style=3D=22border-left-color:=231abc9c; mar= gin:5px 5px; padding-left:10px; border-left-width:thin; border-left-style= :solid;=22>
<pre class=3D=22moz-signature=22 cols=3D=2272=22>-- =20
Best regards,
Per Weisteen

</pre> =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F 
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubsc=
ribe from this list 
 
ISC funds the development of this software with paid support subscription=
s. Contact us at https://www.isc.org/contact/ for more information. =

 
 
bind-users mailing list 
bind-users=40lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users&=23160; </blockquo=

 
<div>Zhiyong Cheng</div>
</div>
</body>
</html>

--5f0dd95e_74de0ee3_17b03--

--- Synchronet 3.18a-Linux NewsLink 1.113

From Per Weisteen@perw@compute-it.no to Zhiyong Cheng on Thu Jul 16 09:56:58 2020

From Newsgroup: comp.protocols.dns.bind

This is a multi-part message in MIME format. --------------A12A63BD7283B5A80F5C0C33
Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit

On 14.07.2020 18:11, Zhiyong Cheng wrote:

在 2020年7月14日 +0800 PM9:06，Per Weisteen <perw@compute-it.no>，写道：

Hi

I've a BIND setup with my ISP with two views, one external and one
internal. At the same time I also need to be able to do a dynamic
update from some addresses within the internal range. This worked ok
before I had to define my two views.

I'd be very grateful if someone could suggest what I'm doing wrong.
My ISP is running BIND 9.11.4.

Due to the ISPs need to have control over the BIND setup I'm just
allowed to add my config via include files.

Zones.mydomains.config file contains:

include "keys/mydomains-keys.conf";

include "keys/zone1-keys.conf";

include "keys/zone2-keys.conf";

acl external { 10.222.33.0/18; 10.222.44.0/18; };

acl internal { 10.11.0.0/16; 10.12.0.0/16; };

//////

// zone1 and zone2 keys used to ensure correct zone transfer from slave

//////

view "external-sites" {

match-clients { !key zone2.key; key zone1.key; external; };

zone "aa.example.net" {

type master;

file "zones.master/aa-view1.example.net";

notify explicit;

also-notify { 10.12.143.56 key zone1.key; };

update-policy {

grant "ext-update.key." name web.aa.example.net. CNAME;

};

};

include "zones.common.config.view1";

}; // End view "external-sites"

view "internal-sites" {

match-clients { !key zone1.key; key zone2.key; internal; localhost; };

zone "aa.example.net" {

type master;

file "zones.master/aa-view2.example.net";

notify explicit;

also-notify { 10.12.143.56 key zone2.key; };

update-policy {

grant "int-update.key." name web.aa.example.net. CNAME;

};

};

include "zones.common.config.view2";

}; // End view "grus-zone2"

view "default" {

match-clients { any; };

include "zones.common.config.view2";

}; // End view "default"

mydomains-keys.conf file contains :

key ext-update.key. {

algorithm HMAC-SHA512;

secret "secret2";

};

key int-update.key. {

algorithm HMAC-SHA512;

secret "secret3";

};

Error message in /var/log/named/named.log is :

10-Jul-2020 13:27:14.695 update: info: client @0x7f0a200a9b30
10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone
'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)

10-Jul-2020 13:28:13.883 update: info: client @0x7f0a200a9b30
10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone
'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)

It seems that you have used a key named arc-zone2.key for updating but
only
allow int-update.key for updating in configuration?

--
Best regards,
Per Weisteen

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more
information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Zhiyong Cheng

Hi

I've managed to paste wrong error messages. The correct was :

10-Jul-2020 13:21:24.571 update: info: client @0x7f09500f432c 10.11.131.23#5175/key int-update.key: view internal-sites: updating zone 'aa.example.net/IN': update failed: rejected by secure update (REFUSED)

10-Jul-2020 13:21:24.759 update: info: client @0x7f09500f432c 10.11.131.23#5175/key int-update.key: view internal-sites: updating zone 'aa.example.net/IN': update failed: rejected by secure update (REFUSED)

I'll try Mark's suggestion.

Per W.

--------------A12A63BD7283B5A80F5C0C33
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
On 14.07.2020 18:11, Zhiyong Cheng wrote: 
<blockquote type="cite"
cite="mid:2324a085-c5c1-46d7-8831-f07453e15b35@Spark">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title></title>
<div name="messageReplySection">在 2020年7月14日 +0800 PM9:06，Per
Weisteen <a class="moz-txt-link-rfc2396E" href="mailto:perw@compute-it.no"><perw@compute-it.no></a>，写道： 
<blockquote type="cite" style="border-left-color:#1abc9c;
margin:5px 5px; padding-left:10px; border-left-width:thin;
border-left-style:solid;">Hi 
 
I've a BIND setup with my ISP with two views, one external and
one internal. At the same time I also need to be able to do a
dynamic update from some addresses within the internal range.
This worked ok before I had to define my two views. 
 
I'd be very grateful if someone could suggest what I'm doing
wrong. My ISP is running BIND 9.11.4. 
 
Due to the ISPs need to have control over the BIND setup I'm
just allowed to add my config via include files. 
 
 
Zones.mydomains.config
file contains: 


include
"keys/mydomains-keys.conf";
include
"keys/zone1-keys.conf";
include
"keys/zone2-keys.conf";

acl external {
10.222.33.0/18; 10.222.44.0/18; };
acl internal {
10.11.0.0/16; 10.12.0.0/16; };

//////
// zone1 and
zone2 keys used to ensure correct zone transfer from slave
//////

view
"external-sites" {
match-clients {
!key zone2.key; key zone1.key; external; };

 zone "aa.example.net" {
type master;
file
"zones.master/aa-view1.example.net";
notify explicit;
also-notify {
10.12.143.56 key zone1.key; };
update-policy {
grant
"ext-update.key." name web.aa.example.net. CNAME;
};
};

include
"zones.common.config.view1";

}; // End view
"external-sites"

view
"internal-sites" {
match-clients {
!key zone1.key; key zone2.key; internal; localhost; };

zone
"aa.example.net" {
type master;
file
"zones.master/aa-view2.example.net";
notify explicit;
also-notify {
10.12.143.56 key zone2.key; };
update-policy {
grant
"int-update.key." name web.aa.example.net. CNAME;
};
};

include
"zones.common.config.view2";

}; // End view
"grus-zone2"



view "default" {
match-clients {
any; };

include
"zones.common.config.view2";

}; // End view "default"

mydomains-keys.conf file contains :
key ext-update.key. {
algorithm HMAC-SHA512;
secret "secret2";
};

key int-update.key. {
algorithm HMAC-SHA512;
secret "secret3";
};

Error
message in /var/log/named/named.log is : 

 

10-Jul-2020 13:27:14.695
update: info: client @0x7f0a200a9b30
10.124.15.148#64606/key arc-zone2.key: view grus-zone2:
updating zone 'pacs.telenor.net/IN': update failed:
rejected by secure update (REFUSED)
10-Jul-2020 13:28:13.883
update: info: client @0x7f0a200a9b30
10.124.15.148#64606/key arc-zone2.key: view grus-zone2:
updating zone 'pacs.telenor.net/IN': update failed:
rejected by secure update (REFUSED)


 
</blockquote>
<div> 
</div>
<div>It seems that you have used a key named arc-zone2.key for
updating but only </div>
<div>allow int-update.key for updating in configuration?</div>
<div> 
</div>
<blockquote type="cite" style="border-left-color:#1abc9c;
margin:5px 5px; padding-left:10px; border-left-width:thin;
border-left-style:solid;">
<pre class="moz-signature" cols="72">--
Best regards,
Per Weisteen

</pre>
_______________________________________________ 
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
to unsubscribe from this list 
 
ISC funds the development of this software with paid support
subscriptions. Contact us at <a class="moz-txt-link-freetext" href="https://www.isc.org/contact/">https://www.isc.org/contact/</a> for
more information. 
 
 
bind-users mailing list 
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a> 
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> 
</blockquote>
 
<div>Zhiyong Cheng</div>
</div>
</blockquote>
 
 
Hi 
 
I've managed to paste wrong error messages. The correct was : 
 
10-Jul-2020
13:21:24.571 update: info: client @0x7f09500f432c
10.11.131.23#5175/key int-update.key: view internal-sites:
updating zone 'aa.example.net/IN': update failed: rejected by
secure update (REFUSED)

10-Jul-2020
13:21:24.759 update: info: client @0x7f09500f432c
10.11.131.23#5175/key int-update.key: view internal-sites:
updating zone 'aa.example.net/IN': update failed: rejected by
secure update (REFUSED) 
 
 
I'll try Mark's suggestion. 
 
Per W. 
</body>
</html>

--------------A12A63BD7283B5A80F5C0C33--
--- Synchronet 3.18a-Linux NewsLink 1.113

Sysop:	DaiTengu
Location:	Appleton, WI
Users:	991
Nodes:	10 (0 / 10)
Uptime:	146:07:35
Calls:	12,962
Files:	186,574
Messages:	3,266,537

Dynamic update rejected within a view

Who's Online

System Info