在 2020年7月14日 +0800 PM9:06,Per Weisteen <p...@compute-it.no>,写道:
> Hi
>
> I've a BIND setup with my ISP with two views, one external and one internal.
> At the same time I also need to be able to do a dynamic update from some
> addresses within the internal range. This worked ok before I had to define my
> two views.
>
> I'd be very grateful if someone could suggest what I'm doing wrong. My ISP is
> running BIND 9.11.4.
>
> Due to the ISPs need to have control over the BIND setup I'm just allowed to
> add my config via include files.
>
>
> Zones.mydomains.config file contains:
> include "keys/mydomains-keys.conf";
> include "keys/zone1-keys.conf";
> include "keys/zone2-keys.conf";
> acl external { 10.222.33.0/18; 10.222.44.0/18; };
> acl internal { 10.11.0.0/16; 10.12.0.0/16; };
> //////
> // zone1 and zone2 keys used to ensure correct zone transfer from slave
> //////
> view "external-sites" {
> match-clients { !key zone2.key; key zone1.key; external; };
> zone "aa.example.net" {
> type master;
> file "zones.master/aa-view1.example.net";
> notify explicit;
> also-notify { 10.12.143.56 key zone1.key; };
> update-policy {
> grant "ext-update.key." name web.aa.example.net. CNAME;
> };
> };
> include "zones.common.config.view1";
> }; // End view "external-sites"
> view "internal-sites" {
> match-clients { !key zone1.key; key zone2.key; internal; localhost; };
> zone "aa.example.net" {
> type master;
> file "zones.master/aa-view2.example.net";
> notify explicit;
> also-notify { 10.12.143.56 key zone2.key; };
> update-policy {
> grant "int-update.key." name web.aa.example.net. CNAME;
> };
> };
> include "zones.common.config.view2";
> }; // End view "grus-zone2"
> view "default" {
> match-clients { any; };
> include "zones.common.config.view2";
> }; // End view "default"
> mydomains-keys.conf file contains :
> key ext-update.key. {
> algorithm HMAC-SHA512;
> secret "secret2";
> };
> key int-update.key. {
> algorithm HMAC-SHA512;
> secret "secret3";
> };
> Error message in /var/log/named/named.log is :
>
> 10-Jul-2020 13:27:14.695 update: info: client @0x7f0a200a9b30
> 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone
> 'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)
> 10-Jul-2020 13:28:13.883 update: info: client @0x7f0a200a9b30
> 10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone
> 'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)
>
It seems that you have used a key named arc-zone2.key for updating but only
allow int-update.key for updating in configuration?
> --
> Best regards,
> Per Weisteen
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
Zhiyong Cheng
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
