On Wed, May 13, 2020 at 3:20 AM Pete Fry <cadel2...@googlemail.com> wrote:
> Bob > thanks for the reply and the correction ( the acl dones't have a ! it was > a cut and paste error when i was trying to remove some information. > > the TSIG works when from other linux machine via nsupdate etc, however i'm > trying to figure out how to get the windows machines to do the same and was > trying to follow this > > http://serverfault.com/questions/376578/bind9-combining-key-and-acl-for- > allow-update > > Regards > > Pete > Your ACL looks right. I think Ben has the key - Windows uses GSS-TSIG, not regular TSIG. Not sure how or if that can be solved. -- Bob Harold > On Tue, 12 May 2020 at 13:40, Bob Harold <rharo...@umich.edu> wrote: > >> >> On Tue, May 12, 2020 at 5:57 AM Pete Fry via bind-users < >> bind-users@lists.isc.org> wrote: >> >>> All >>> >>> I've inherited a BIND environment and i'm trying to understand a few >>> things as currently we are experiences an issue related to DDNS. >>> >>> we have >>> >>> site 1 >>> hostA >>> >>> site 2 >>> hostB >>> >>> We have a HArecord, and we want HostA or HostB to be able to update the >>> HArecord (i.e. failover cluster type configuration) >>> >>> config: >>> Zone file: >>> >>> zone "TEST" { >>> check-names ignore; >>> type master; >>> file "/var/named/dynamic/TEST"; >>> allow-update { >>> auth-dns; >>> dynamic-TEST; >>> }; >>> }; >>> >>> lists.conf >>> >>> acl dynamic-update-ads { >>> 192.168.2.1 // hostA >>> 192.168.5.1 // hostB >>> dynamic-TEST-tsig; >>> }; >>> >>> acl dynamic-TEST-tsig { >>> // any host which is not.. >>> !{ >>> // not in the new acls >>> !dynamic-test-site1; >>> !dynamic-test-site2; >>> any; >>> }; >>> // but has the key >>> key TEST-key; >>> }; >>> >> >> For testing purposes, start with a simpler acl, like: >> >> acl dynamic-TEST-tsig { >> key TEST-key; >> }; >> >> And see if that works. >> >> >>> >>> acl !dynamic-test-site1 { >>> 192.168.2.1/32; // HostA >>> }; >>> >>> acl !dynamic-test-site2 { >>> 192.168.5.1/32; // HostB >>> }; >>> >>> >> "acl !" seems wrong to me. Is that a legal syntax? And if so, what does >> it mean? >> >> -- >> Bob Harold >> >> >>> however these windows machines keep saying bad key, I know i'm missing >>> something obvious but how do i get this to work? >>> >>> happy to be able to give the key to the windows boxes if anyone knows but >>> i'm drawing a blank >>> >>> Regards >>> >>> Cade >>> >>> >> >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
