You can't update multiple views with a single update message. Use
two update commands. The update is being processed by the first
view and the policy in the internal zone doesn't allow you to update
*every* record you are attempting to update so the whole update is
refused.
Also use two different keys for internal and external. You currently
can only update the internal view as the key is common to both views
and you are using it in match-clients to select which view is
matched.
match-clients { !key external ; key internal ; ... };
match-clients { !key internal ; key external ; ... };
Mark
In message <1432655713.2057519.278447305.2152c...@webmail.messagingengine.com>
, PGNd writes:
> I run
>
> named -v
> BIND 9.10.2
>
> in split-horizon mode with two views
>
> view "internal" {
> view "external" {
>
> For a single zone
>
> MYDOMAIN.com
>
> I'm targeting two hostnames in the zone
>
> test.MYDOMAIN.com
> external.test.MYDOMAIN.com
>
> for dynamic updates. At any given time, the A records should return
>
> view=internal:
> dig A test.MYDOMAIN.com +short
> A.B.C.D
> dig A external.test.MYDOMAIN.com +short
> 10.1.1.14
>
> view=external:
> dig A test.MYDOMAIN.com +short
> A.B.C.D
> dig A external.test.MYDOMAIN.com +short
> A.B.C.D
>
> I want to dynamically update A.B.C.D, using 'nsupdate'. I.e., I'll update
>
> internal: external.test.MYDOMAIN.com
> external: test.MYDOMAIN.com
> external: external.test.MYDOMAIN.com
>
> In my dns conf
>
> cat named.conf
> ...
> acl presgrp_internal { localhost; 10.1.1.0/24; 2001:xxx:xxxx:x
> xx::/64; };
> ...
> view "internal" {
> match-clients { key test-key; presgrp_internal; };
> ...
> zone "MYDOMAIN.com" {
> type master; file "/namedb/master/internal.MYDOMAIN.com.zo
> ne";
> update-policy {
> grant brahms-rndc-key zonesub ANY;
> grant test-key name external.test.MYDOMAIN.com ANY;
> };
> };
> ...
> view "external" {
> match-clients { key test-key; any; };
> ...
> zone "MYDOMAIN.com" IN {
> type master; file "/namedb/master/MYDOMAIN.com.zone";
> update-policy {
> grant test-key name test.MYDOMAIN.com ANY;
> grant test-key name external.test.MYDOMAIN.com ANY;
> };
> };
> ...
>
> I have an update script
>
> cat dyn-update.sh
> #!/bin/sh
> IP=$1
>
> NSUPDATE="/usr/local/bind9/bin/nsupdate"
> RNDC="/usr/local/bind9/sbin/rndc"
> KEYFILE="/usr/local/etc/named/keys/test.rndc.key"
>
> SERVER="2001:xxx:xxxx:xxx::100"
> ZONE="MYDOMAIN.com"
> HOST="test"
>
> cat <<EOF | ${NSUPDATE} -k ${KEYFILE} -v
> server ${SERVER}
> zone ${ZONE}
> local ::1
> update delete ${HOST}.${ZONE}. ANY
> update delete external.${HOST}.${ZONE}. ANY
> update add ${HOST}.${ZONE}. 5 A ${IP}
> update add external.${HOST}.${ZONE}. 5 A ${IP}
> update add ${HOST}.${ZONE}. 5 TXT "Updated on $(da
> te)"
> update add external.${HOST}.${ZONE}. 5 TXT "Updated on $(da
> te)"
> show
> send
> EOF
>
> ${RNDC} reload
>
> where
>
> cat /usr/local/etc/named/keys/test.rndc.key
> key "test-key" {
> algorithm hmac-md5;
> secret "gcNd3eCe87cc3FefDD8e5Z==";
> };
>
> On exec of the update script
>
> sh dyn-update.sh 11.22.33.44
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; ZONE SECTION:
> ;MYDOMAIN.com. IN SOA
>
> ;; UPDATE SECTION:
> test.MYDOMAIN.com. 0 ANY ANY
> external.test.MYDOMAIN.com. 0 ANY ANY
> test.MYDOMAIN.com. 5 IN A 11.22.33.44
> external.test.MYDOMAIN.com. 5 IN A 11.22.33.44
> test.MYDOMAIN.com. 5 IN TXT "Updated on Tue May
> 26 08:25:40 PDT 2015"
> external.test.MYDOMAIN.com. 5 IN TXT "Updated on Tue May
> 26 08:25:40 PDT 2015"
>
> update failed: REFUSED
> server reload successful
>
> The update's "REFUSED". With log config @ debug verbosity
>
> ...
> logging {
> ...
> channel loglevel_debug {
> syslog; print-category yes; print-severity yes; print-time yes;
> severity debug;
> };
> ...
> category update-security { loglevel_debug; };
> ...
>
> logs show only
>
> May 26 08:25:40 brahms named[29655]: 26-May-2015 08:25:40.829 update-s
> ecurity: info: client ::1#56064/key test-key: view internal: signer "test-ke
> y" denied
> May 26 08:25:40 brahms named[29655]: 26-May-2015 08:25:40.829 update-s
> ecurity: error: client ::1#56064/key test-key: view internal: update 'MYDOMA
> IN.com/IN' denied
>
> Why is that update being denied? Likely I've misconfigured ... but what?
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscrib
> e from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
