In the dnssec.log file I only found references to normal key rotation.
Adding the section for update_security and running at trace 99 didn't provide _any_ update_security log output, nor did it provide any extra output to the update log.
even when running in single combined log format I couldn't find any messages beyond "REFUSED"
It looks like the logging in the update section requires some directive I have been unable to figure out.
I did find the issue with the updates, it was a typo in the object that was allowed to be updated. Not the A nor the AAA part, but the named object in the had a typo in the domain portion. my entries in the update-policy section are in the form: grant <key> <type> <object>.<domain>.<tld>. <allowed resource(s)>;
No clue why It appeared to be working before.Would be really nice to have some kind of log message, perhaps like "named object not listed in policy for <key>".
-Erik On 5/28/24 12:48 AM, Crist Clark wrote:
Have you looked in the "dnssec" logs? That may contain info about TSIG processing.Also, I didn't see the "update-security" category in your shared configuration.Not sure those have what you are looking for. You did look at the descriptions of all of the categories?https://bind9.readthedocs.io/en/stable/reference.html#namedconf-statement-category
OpenPGP_signature.asc
Description: OpenPGP digital signature
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
