f



key-restricted nsupdate of internal view's zone's host REFUSED with 'signer "<key>" denied' ?

I run

	named -v
		BIND 9.10.2

in split-horizon mode with two views

	view "internal" {
	view "external" {

For a single zone

	MYDOMAIN.com

I'm targeting two hostnames in the zone

	               test.MYDOMAIN.com
	      external.test.MYDOMAIN.com

for dynamic updates.  At any given time, the A records should return

	view=internal:
		dig A test.MYDOMAIN.com +short
			A.B.C.D
		dig A external.test.MYDOMAIN.com +short
			10.1.1.14

	view=external:
		dig A test.MYDOMAIN.com +short
			A.B.C.D
		dig A external.test.MYDOMAIN.com +short
			A.B.C.D

I want to dynamically update A.B.C.D, using 'nsupdate'.  I.e., I'll update

	internal: external.test.MYDOMAIN.com
	external:          test.MYDOMAIN.com
	external: external.test.MYDOMAIN.com

In my dns conf

	cat named.conf
		...
		acl presgrp_internal { localhost; 10.1.1.0/24; 2001:xxx:xxxx:xxx::/64; };
		...
		view "internal" {
		  match-clients { key test-key; presgrp_internal; };
		...
		  zone "MYDOMAIN.com" {
		    type master; file "/namedb/master/internal.MYDOMAIN.com.zone";
		    update-policy {  
		      grant brahms-rndc-key zonesub ANY;  
		      grant test-key name external.test.MYDOMAIN.com ANY;
		    };
		  };
		...
		view "external" {    
		  match-clients { key test-key; any; };
		...
		  zone "MYDOMAIN.com" IN {
		    type master; file "/namedb/master/MYDOMAIN.com.zone";
		    update-policy {
		      grant test-key name          test.MYDOMAIN.com ANY;
		      grant test-key name external.test.MYDOMAIN.com ANY;
		    };
		  };
		...

I have an update script 

	cat dyn-update.sh
		#!/bin/sh
		IP=$1

		NSUPDATE="/usr/local/bind9/bin/nsupdate"
		RNDC="/usr/local/bind9/sbin/rndc"
		KEYFILE="/usr/local/etc/named/keys/test.rndc.key"

		SERVER="2001:xxx:xxxx:xxx::100"
		ZONE="MYDOMAIN.com"
		HOST="test"

		cat <<EOF | ${NSUPDATE} -k ${KEYFILE} -v
		server ${SERVER}
		zone ${ZONE}
		local ::1
		update delete          ${HOST}.${ZONE}. ANY
		update delete external.${HOST}.${ZONE}. ANY
		update add             ${HOST}.${ZONE}. 5 A ${IP}
		update add    external.${HOST}.${ZONE}. 5 A ${IP}
		update add             ${HOST}.${ZONE}. 5 TXT "Updated on $(date)"
		update add    external.${HOST}.${ZONE}. 5 TXT "Updated on $(date)"
		show
		send
		EOF

		${RNDC} reload

where

	cat /usr/local/etc/named/keys/test.rndc.key
		key "test-key" {
		  algorithm hmac-md5;
		  secret "gcNd3eCe87cc3FefDD8e5Z==";
		};

On exec of the update script

	sh dyn-update.sh 11.22.33.44
		Outgoing update query:
		;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
		;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
		;; ZONE SECTION:
		;MYDOMAIN.com.                 IN      SOA

		;; UPDATE SECTION:
		test.MYDOMAIN.com. 0       ANY     ANY
		external.test.MYDOMAIN.com. 0 ANY  ANY
		test.MYDOMAIN.com. 5       IN      A       11.22.33.44
		external.test.MYDOMAIN.com. 5 IN   A       11.22.33.44
		test.MYDOMAIN.com. 5       IN      TXT     "Updated on Tue May 26 08:25:40 PDT 2015"
		external.test.MYDOMAIN.com. 5 IN   TXT     "Updated on Tue May 26 08:25:40 PDT 2015"

		update failed: REFUSED
		server reload successful

The update's "REFUSED".  With log config @ debug verbosity

	...
	logging {
	...
	  channel loglevel_debug {
	    syslog; print-category yes; print-severity yes; print-time yes;
	    severity debug;
	  };
	...
	  category update-security { loglevel_debug;   };
	...

logs show only

	May 26 08:25:40 brahms named[29655]: 26-May-2015 08:25:40.829 update-security: info: client ::1#56064/key test-key: view internal: signer "test-key" denied
	May 26 08:25:40 brahms named[29655]: 26-May-2015 08:25:40.829 update-security: error: client ::1#56064/key test-key: view internal: update 'MYDOMAIN.com/IN' denied

Why is that update being denied?  Likely I've misconfigured ... but what?

0
PGNd
5/26/2015 3:55:13 PM
comp.protocols.dns.bind 16245 articles. 1 followers. Post Follow

0 Replies
881 Views

Similar Articles

[PageSpeed] 56

Reply:

Similar Artilces:

=("|\')?([^ "\']*)("|\')?.*>([^<]*)</A>'
Hello. Well, I found this piece of code on php.net. Thats fine but where can i find explanation for all these ("|\')?([^ "\']*)("|\')?.*>([^<]*)' syntax so that I can construct my own rules for all kind of eregi preg and oter match functions ? Transform HTML links into plain-text "links" with the URL visible function AHREF2text($string) { return eregi_replace('<A .*HREF=("|\')?([^ "\']*)("|\')?.*>([^<]*)</A>', '[\\4] (link: \\2)', $string); } And another simple question, maybe ...

JAXM returning '&lt;' and '&gt;' rather than "<" and ">"
Hi guys I'm up against a very annoying problem. I'm tryint to use JAXM to call a simple PHP nuSoap web service. I am using SOAPMessage/SOAPPart/SOAPEnvelope etc, however when i receive the message from the server i get: &lt;symbol&gt;great&lt;/symbol&gt; rather than: <symbol>great</symbol> Does anyone have any idea why its converting '<' to '&lt;'??? Any help would be most appreciated, i've been frustrated by this for hours! (Note the xml just dumps out "<symbol>great</symbol>" - it does not encode it ...

user has pressed two "regular" keys (e.g. 'a' and 's') simultaneously
I just posted a new contribution to matlab central (doom.m: Fly through a 3D scene like in a first-person shooter in god mode) and would like to know if anyone could tell me how to get information about both keys (e.g. in a key press callback function) if the user has pressed two "regular" keys (e.g. 'a' and 's') simultaneously. Joerg ...

'Here's the thing about Apple's "recent"�success.'
'It isn't recent. The only thing that has changed are some numbers. Some big numbers: largest company in the world, second most profitable company in the world, most profitable retail stores in the world, best-selling smart phone, second best-selling smart phone, best-selling tablet computer, etc. Other numbers have not changed: customer satisfaction, customer loyalty, consumer ratings, etc.' <http://granthuhn.wordpress.com/2011/09/23/heres-the-thing-about-apples-r ecent-success/> -- "The iPhone doesn't have a speaker phone" -- "I c...

It's on-it's off-it's on, it's off -WHY?
IS THIS THE CORRECT FORUM? Hope so. We have three computer networked at home...all with Windows XP. one of those is a laptop. Some mornings all 3 can see each other and transfer files...then mysteriously one or more will disappear. No contact....then later it's back. The laptop is the worst. Most often it won't let us in...but sometimes it will. No obvious reason. The most INFURIATING part is the message "see your administrator". Dammit Bill Gates...don't you realize that most networks are small offices without a Majestic Royal Administrator sitting his i...

Modem ping: "chat -v -s '' 'ATZ' < /dev/modem > /dev/modem" fails?
On machine-1 the command line: chat -v -s '' 'ATZ' < /dev/modem > /dev/modem returns: send (ATZ^M) and I get my command line back, but the same command on machine-2 fails, it doesn't give me back the command line it just hangs there with no output. There are also no chat processes running when I issue 'ps aux' on another terminal. Both machines successfully work at connecting to the internet with the default ppp/chat scripts, the only difference is machine-1 has /dev/modem->/dev/ttyS3 (internal modem) and machine-2 has /dev/modem->/dev/ttyS1 (exte...

Modem ping: "chat -v -s '' 'ATZ' < /dev/ttyS1 > /dev/ttyS1" fails?
On machine-1 the command line: chat -v -s '' 'ATZ' < /dev/modem > /dev/modem returns: send (ATZ^M) and I get my command line back, but the same command on machine-2 fails, it doesn't give me back the command line it just hangs there with no output. There are also no chat processes running when I issue 'ps aux' on another terminal. Both machines successfully work at connecting to the internet with the default ppp/chat scripts, the only difference is machine-1 has /dev/modem->/dev/ttyS3 (internal modem) and machine-2 has /dev/modem->/dev/ttyS...

90's Game -- Spielberg's "Director's Chair"
This seems like a long shot (get it...long shot?) but is anybody reading this group familiar with a game called Steven Spielberg's Director's Chair from the mid-nineties? Actually, it's more of a movie- studio familiarizer than a game, per se, but it does have its strong points in terms of recreating a certain, Hollywood-y atmosphere. I'm curious because, when I run this program on a Windows 2000 box, I keep hitting an "Internal Error" during my first dip in The Lab. I can hear the first line of dialogue repeat about three times, then it shuts me down. Becau...

Steve Jobs
<quote> I want to go back to that other question first and say one more thing, he says. This don't be evil mantra: "It's bullshit." Audience roars. </quote> http://www.wired.com/epicenter/2010/01/googles-dont-be-evil-mantra-is-bullshit-adobe-is-lazy-apples-steve-jobs/comment-page-2/ On Sun, 31 Jan 2010 20:27:54 -0500, Ezekiel wrote: > <quote> > I want to go back to that other question first and say one more thing, > he says. This don't be evil mantra: "It's bullshit." Audience roars. > </quote> > &...

how to make ["a","b",["c","d"],"e"] into ['a', 'b', 'c', 'd', 'e'] ?
--001a11c34e8edbc7c404f6a94bbe Content-Type: text/plain; charset=ISO-8859-1 >>> x=["a","b",["c","d"],"e"] >>> y=x[2] >>> y ['c', 'd'] >>> x.insert(2,y[0]) >>> x ['a', 'b', 'c', ['c', 'd'], 'e'] >>> x.insert(3,y[1]) >>> x ['a', 'b', 'c', 'd', ['c', 'd'], 'e'] >>> del x[4] >>> x ['a', 'b', 'c', 'd', &#...

Why doesn't Python's "robotparser" like Wikipedia's "robots.txt" file?
For some reason, Python's parser for "robots.txt" files doesn't like Wikipedia's "robots.txt" file: >>> import robotparser >>> url = 'http://wikipedia.org/robots.txt' >>> chk = robotparser.RobotFileParser() >>> chk.set_url(url) >>> chk.read() >>> testurl = 'http://wikipedia.org' >>> chk.can_fetch('Mozilla', testurl) False >>> The Wikipedia robots.txt file passes robots.txt validation, and it doesn't disallow unknown browsers. But the Python pars...

Needed "data processing magazine" also any of same topic are from 50's 60's 70's such as "Datamation", ACM conference proceedings, Early AFIPS, and others.
Needed "data processing magazine" also any of same topic are from 50's 60's 70's such as "Datamation", ACM conference proceedings, Early AFIPS, and others. Also have a requirement for any of the IRE - IEEE publications on early computing. Please advise All eras are fine prefer bound but... loose OK too. address is below. Thanks Ed Sharpe, Archivist for SMECC - - See the Museum's Web Site at www.smecc.org Southwest Museum of Engineering, Communications and Computation Coury House / SMECC Library 5802 W. Palmaire Ave. ...

Error? s = assignin('base','s',tf('s'));
Hi, I need a little help here. Could anyone please tell me what is wrong with this command? s = assignin('base','s',tf('s')); The matlab syntax is -- assignin(ws, 'var', val) Basically I just want to add s=tf('s') into the base workspace. Jack "Jack" <Jack@Jill.com> wrote in message news:ef3e449.-1@webcrossing.raydaftYaTP... > Hi, > I need a little help here. Could anyone please tell me what is wrong > with this command? > > s = assignin('base','s',tf('s')); > > The matlab syntax is -- as...

There's "Unix", and then there's "UNIX(r)"
From TOW[1]: The Open Group, an industry standards consortium, now owns the UNIX trademark and allows its use for certified operating systems compliant with its standard, the Single UNIX Specification. Other operating systems that emulate Unix to some extent may be called Unix-like, although the Open Group disapproves of this term.[4] The term Unix is also often used informally to denote any operating system that closely resembles the trademarked system. The most common version of Unix (bearing certification) is Apple's OS X, while Linux is the most popular non...

Web resources about - key-restricted nsupdate of internal view's zone's host REFUSED with 'signer "<key>" denied' ? - comp.protocols.dns.bind

Resources last updated: 1/25/2016 3:18:08 PM