A quick follow-up for posterity, this was resolved by manually editing
the bind 9.18 zone files and removing all DNSSEC records.
On 2024-10-22 9:57 p.m., Paul Galbraith wrote:
I am getting this error with bind 9.20.2, when trying to delete an
record with nsupdate on the same host. Using
gt; };
> notify explicit;
>
>
>...
>
> zone "example.com" in {
>type master;
>file "master/example.com.zone";
>update-policy local;
>check-names warn;
>forwarders {};
> };
>
>};
>---
>
{
type master;
file "master/example.com.zone";
update-policy local;
check-names warn;
forwarders {};
};
};
---
---
---
Command I use is
nsupdate -l -k se
I am getting this error with bind 9.20.2, when trying to delete an
record with nsupdate on the same host. Using rndc on the host to sign
the zone seems to work fine, so I'm quite confused. Is there any way to
get more detail about these "zone keys" that named "could n
In the dnssec.log file I only found references to normal key rotation.
Adding the section for update_security and running at trace 99 didn't
provide _any_ update_security log output, nor did it provide any extra
output to the update log.
even when running in single combined log format I coul
Please allow me to refocus this thread to the original question.
I'm asking about the logging facility with respect to the "update"
section of code in ISC's bind9 product.
Yes, I understand update-policy choices/errors will generate the REFUSED
response.
_I'm only asking about the logging f
> On 27 May 2024, at 16:06, Erik Edwards via bind-users
> wrote:
>
> Hello Mark & List,
>
> Thank you for responding, I'm running bind-9.18.26-1.fc40.x86_64 and using
> nsupdate 9.16.27-Debian to send the updates, using rndc Version: 9.18.26.
>
> I'm
Hello Mark & List,
Thank you for responding, I'm running bind-9.18.26-1.fc40.x86_64 and
using nsupdate 9.16.27-Debian to send the updates, using rndc Version:
9.18.26.
I'm issuing commands through rndc to set the trace level to 99 -> "rndc
trace 99". rndc see
turn on
debugging.
Stop making us guess which version you BIND you upgraded from. This
bind-users, not Fedora support. F36-F39 is meaningless here.
If you are using nsupdate to send the UPDATE request turn on its debugging.
At the moment all you have said is that you have a problem but have
algorithm hmac-sha256;
named-checkconf -p shows the key with the matching name, algo, and secret.
When I mis-configure, change, or typo the secret it returns "BAD SECRET"
The error I'm seeing is "REFUSED" on a config that worked until the upgrade.
It worked on F36-F39, upgrades were seamless.
It doesn't answer your original question, but I suggest looking at the
'algorithm' of that key.
Might it be a hmac-md5 ?
If you 'named-conf -px' does it appear in the list of keys?
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.g
How can I set debug level log for update events?
I've tried "rndc trace 99" which gives *lots* of information expect for
UPDATE REFUSED issues even thought the channel is set to dynamic severity.
Is there a different way to get named to generate debug level logs for
UPDATE events?
I'm runni
300 IN TXT "v=spf1 a mx
a:anny.lostinspace.de a:beta.fechner.net -all"
update delete news.fechner.net. IN TXT "v=spf1 a mx
a:anny.lostinspace.de -all"
update add news.fechner.net. 300 IN TXT "v=spf1 a mx
a:anny.lostinspace.de a:beta.fechner.net -all"
send
answer
```
So
"v=spf1 a mx
a:anny.lostinspace.de -all"
update add ark.fechner.net. 300 IN TXT "v=spf1 a mx
a:anny.lostinspace.de a:beta.fechner.net -all"
update delete news.fechner.net. IN TXT "v=spf1 a mx
a:anny.lostinspace.de -all"
update add news.fechner.net. 300 IN TXT &
201907-b...@planhack.com wrote:
>> My solution is not to mix dynamic update with other access. Instead,
>> I put in CNAMEs in the signed zone to a sub-zone (or other zone) where
>> I do exclusive dynamic update. This isn't perfect, but it works well
>> enough to allow dns-01 (cer
ike with nsupdate), using different TSIG keys with different
privileges in update-policy. Signing and key rotation are handled
automatically by Bind, using dnssec-policy.
I use nsdiff (https://dotat.at/prog/nsdiff/) and nsupdate to apply
manual changes. That way I still have hand-written zone files with
> My solution is not to mix dynamic update with other access.
> Instead, I put in CNAMEs in the signed zone to a sub-zone (or other zone)
> where I do exclusive dynamic update. This isn't perfect, but it works
> well enough to allow dns-01 (certbot/LetsEncrypt) to be able to refresh my
>
In general, you don't want to mix dynamic update zones with ones that you
want to edit by hand. I see that you are doing manual DNSSEC signing in your
cron job.
Your choices are:
a) do everything with dynamic update, and turn on automatic DNSSEC management
in bind9.
b) do your DNSSEC signing
Just configure named to sign the zone.
--
Mark Andrews
> On 6 Oct 2023, at 22:30, Paul van der Vlis wrote:
>
> Op 06-10-2023 om 10:39 schreef Mark Andrews:
>> You need to figure out what is updating the zone. This isn’t named.
>
> Thanks for your answer.
> It makes me find the reason. See m
Op 06-10-2023 om 10:39 schreef Mark Andrews:
You need to figure out what is updating the zone. This isn’t named.
Thanks for your answer.
It makes me find the reason. See my other message.
With regards,
Paul
--
Paul van der Vlis Linux systeembeheer Groningen
https://vandervlis.nl/
--
Visit ht
Op 06-10-2023 om 10:28 schreef Paul van der Vlis via bind-users:
Hello,
I try to give a dynamic IP to a name, using nsupdate. This works fine,
but after some hours the IP is gone from the master (which I update).
Something like this:
Host home.customer.nl not found: 3(NXDOMAIN)
The IP is
You need to figure out what is updating the zone. This isn’t named.
--
Mark Andrews
> On 6 Oct 2023, at 19:28, Paul van der Vlis via bind-users
> wrote:
>
> Hello,
>
> I try to give a dynamic IP to a name, using nsupdate. This works fine, but
> after some hours th
Hello,
I try to give a dynamic IP to a name, using nsupdate. This works fine,
but after some hours the IP is gone from the master (which I update).
Something like this:
Host home.customer.nl not found: 3(NXDOMAIN)
The IP is then still available from the slaves, what gets it from the
master
et. IN TXT "v=spf1 a mx
a:anny.lostinspace.de -all"
update add news.fechner.net. 300 IN TXT "v=spf1 a mx
a:anny.lostinspace.de a:beta.fechner.net -all"
send
answer
```
So I tried to chain nsupdate to it with:
nsdiff -k ../.key fechner.net fechner.net | nsupdate -k ../.key
10. 2022, at 17:05, sri b wrote:
>
>
> Hi,
>
> I made some progress in building nsupdate. But now I am facing a problem
> due to Openssl.
>
> checking for flockfile... yes
> checking for getc_unlocked... yes
> checking for sysconf... yes
> checking for libssl libc
9 Sep 2022, at 18:54, sri b wrote:
>
>
> Hi,
>
> I am getting errors while building nsupdate (bind) version 9.18.6, for my
> project. I have attached the configure.log with this mail for your
> reference. Can you please advise on how to successfully compile?
>
On 29. 09. 22 10:54, sri b wrote:
I am getting errors while building nsupdate (bind) version 9.18.6, for
my project. I have attached the configure.log with this mail for your
reference. Can you please advise on how to successfully compile?
The autoconf version is as below.
autoconf (GNU
Hi,
I am getting errors while building nsupdate (bind) version 9.18.6, for my
project. I have attached the configure.log with this mail for your
reference. Can you please advise on how to successfully compile?
The autoconf version is as below.
autoconf (GNU Autoconf) 2.69
The libtool version
On 7/11/22 11:48 PM, Philip Prindeville wrote:
Hi,
Hi,
I have a remote subnet that has its own DHCP server, but wants to
update the domain which spans several locations and subnets.
What do I need to do on both ends (remote DHCP server and central
DNS server) to push updates over?
I would
Philip Prindeville wrote:
> What do I need to do on both ends (remote DHCP server and central DNS
> server) to push updates over?
Your list is pretty accurate.
One thing that bites me regularly is that names of the TSIG keys matters, and
that if you have a trailing . in the key name, it
ot;controls { }" section will
> need an "inet" address to listen on, the IP address of the DHCP server
> that will be sending us updates, and the matching name from the
> "key { }" section above.
>
> Am I forgetting anything? Or is that about it?
You don'
27;ll need to point nsupdate
at it with "-k"... (but no "-l").
On the DNS side, I'll need to include from /etc/bind/named.conf a file with a
"key { }" section and a "controls { }" section... with the same symmetric
key/algorithm, of course... the
On 3/14/2022 3:11 PM, Philip Prindeville wrote:
I was hoping that there's a trivial way to parse the named.conf file and figure
out what it listens on for updates using a Bind utility, but I guess not...
The utility 'rndc status' will return the full path of the configuration
file:
rndc
Philip Prindeville wrote:
>
> I'm operating on a residential ILEC that hasn't deployed IPv6, so
> turning off IPv6 isn't "self-harm", it's what cyber security
> professionals refer to as "reducing attack surface".
Sorry, that was unkind of me, and it's a topic I should not be sarcastic
about.
It
gt;>>
>>> allow-transfer { none; };
>>> dnssec-validation auto;
>>> listen-on-v6 { none; };
>>>
>>> That I get a *lot* of lines like:
>>>
>>> ; Communication with ::1#53 failed: connection refused
>>
>&
sten-on-v6 { none; };
>>
>> That I get a *lot* of lines like:
>>
>> ; Communication with ::1#53 failed: connection refused
>
> "Doctor it hurts when I do this!"
>
> When you use `nsupdate -l` you are using a hard-coded configuration, that
> use
tion with ::1#53 failed: connection refused
"Doctor it hurts when I do this!"
When you use `nsupdate -l` you are using a hard-coded configuration, that
uses a compiled-in path to the session key and fixed IPv4 and IPv6
localhost addresses.
If that doesn't fit your setup then you nee
with ::1#53 failed: connection refused
(One per RR in the monolithic file, in fact) when I run "nsupdate -l -v
$dyn_file".
If I run "nsupdate -4 -l -v $dyn_file" then all of that goes away. This will
always be a local update.
What's the cleanest/most-scriptable way to
On 2022 Feb 24, at 14:19, @lbutlr wrote:
> I am invoking nsupdate with
Oh, never mind. Major Brain Fart.
--
"Everyone has a photographic Memory, some just don't have film."
~Steven Wright
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe fr
I am invoking nsupdate with
nsupdate -k /etc/namedb/admin.key
When I make the changes to a domain and `send` I get,
; TSIG error with server: expected a TSIG or SIG(0)
update failed: REFUSED
/etc/namedb is an alias to /usr/local/etc/namedb/ and admin.jet contains:
# cat admin.key
key "
configure it.
Regards,
Chris Buxton
> On Aug 26, 2021, at 7:32 AM, Magnus Holmgren
> wrote:
>
> When using GSS-TSIG, nsupdate (with the -g flag) always forms the SPN from the
> master server specified in the SOA record, rather than the server specified
> with the server comma
When using GSS-TSIG, nsupdate (with the -g flag) always forms the SPN from the
master server specified in the SOA record, rather than the server specified
with the server command. Is that really correct behaviour, or should I report
this as a bug? I've been scouring the Internet, but cou
Paul Kosinski via bind-users wrote:
> A couple of years ago, I tried using nsupdate to modify a dynamic (DHCP)
> IP address for my very simple domain. It worked, except that it totally
> messed up the organization of the zone file. Since the file only has 44
> active lines (which a
Adding mailing list for archiving.
-- Forwarded message -
From: Greg Donohoe
Date: Wed, Jan 27, 2021 at 6:11 PM
Subject: Re: Reverse zone reformatting after nsupdate execution
To: Chris Isaksen
Thank you very much for your reply Chris. Changing the masterfile-style has
From: bind-users on behalf of Ondřej Surý
Sent: Wednesday, January 27, 2021 8:29 AM
To: Greg Donohoe
Cc: bind-users@lists.isc.org
Subject: Re: Reverse zone reformatting after nsupdate execution
You might want to change `masterfile-style` configuration
to figure out the cause of an
>> issue I am seeing when running nsupdate on my BIND9 server.
>> Below you will find all the the details as to how my server is configured
>> and also the nsupdate commands that I am running.
>>
>> The issue I am seeing is that I have co
cause of an
> issue I am seeing when running nsupdate on my BIND9 server.
> Below you will find all the the details as to how my server is configured and
> also the nsupdate commands that I am running.
>
> The issue I am seeing is that I have configured a /16 10.10.in-addr.arpa
>
Hello. I am hoping that someone can help me to figure out the cause of an
issue I am seeing when running nsupdate on my BIND9 server.
Below you will find all the the details as to how my server is configured
and also the nsupdate commands that I am running.
The issue I am seeing is that I have
Unfortunately comments section on that page doesn’t work. You press preview
and you get a error response back.
> On 6 Aug 2020, at 02:21, Brett Delmage wrote:
>
> On Wed, 5 Aug 2020, Mark Andrews wrote:
>
>> If I use the example zone on that page *no* errors are reported.
>> If I modify resta
On Wed, 5 Aug 2020, Mark Andrews wrote:
If I use the example zone on that page *no* errors are reported.
If I modify restarchitect.com to have a A record at
_acme-challenge.restarchitect.com then errors will be reported.
I certainly did get an error originally. I would not have found this
pa
that is incorrect, so then I don't need to send a help plea and
> look like an idiot. Just not in this report, although an earlier version led
> me to seeing another problem, which was good.
>
> Brett
>
>>
>>
>>
>> Mark
>>
>>> On 5 Aug
x27;t need to send a help plea
and look like an idiot. Just not in this report, although an earlier
version led me to seeing another problem, which was good.
Brett
Mark
On 5 Aug 2020, at 08:44, Brett Delmage wrote:
I'm having a problem getting nsupdate to work, as shown below.
Thanks for full details.
Your key name usage is not consistent. acmesh-ottawatch != ottawatch-acmesh
Why are you adding `check-names warn;`? check-names does NOT apply to TXT
records.
Mark
> On 5 Aug 2020, at 08:44, Brett Delmage wrote:
>
> I'm having a problem getting nsupda
I'm having a problem getting nsupdate to work, as shown below.
(Despite reading the man pages I'm not 100% clear about the exact scope of
the grant options and it may not be right. Examples would be helpful.)
I generated the key:
ddns-confgen -k acmesh-ottawatch. -z ottawat
o you can delete and add in the same UPDATE operation. Remove the
first “send” in nsupdate.script.
Yes, thanks for the tip. I did man nsupdate :-) I had
nsupdate debug enabled earlier, so split this it up while testing.
Also ottawatch.ca has DS records but the zone is not signed. You need
t
3CEF76EC
Mark
> On 29 Jul 2020, at 12:30, Brett Delmage wrote:
>
> nsupdate works according to updated contents of a dynamic zonefile but dig
> does not report the added A record.
>
> What am I doing stupidly here?
>
> BIND version 1:9.16.5-1+ubuntu18.04.1
> - b
nsupdate works according to updated contents of a dynamic zonefile
but dig does not report the added A record.
What am I doing stupidly here?
BIND version 1:9.16.5-1+ubuntu18.04.1
- both authoritative and local recursive
zone config:
zone "ottawatch.ca"
{
t
ation, specifically) working with nsupdate (which acme.sh
uses) and BIND have been a PITA. I haven't been overly impressed with
the debug capabilities to help get nsupdate working properly.
Interesting, I wasn't aware of this. Looking at Manjaro's site again, I
found that their main w
https://github.com/acmesh-official/acme.sh
If you are running your own nameserver you also need to enable dynamic
updates so that the acme.sh client can create TXT records during
certificate acqusition and renewal.
However I have found that getting zone dynamic updates (authentication,
specifical
Done:
https://gitlab.isc.org/isc-projects/bind9/-/issues/1907
<https://gitlab.isc.org/isc-projects/bind9/-/issues/1907>
Thanks.
> On Jun 1, 2020, at 7:08 AM, Ondřej Surý wrote:
>
> I think it’s reasonable for nsupdate to do the chunking on itself. Patches
> are always w
> On Jun 1, 2020, at 6:50 AM, Andreas S. Kerber wrote:
>
> Yeah, I had troubles with those 2048 bit DKIM records too. nsupdate will need
> it like this:
>
> server X.X.X.X
> zone ag-trek.de
> update add test.ag-trek.de. 86400 IN TXT
I think it’s reasonable for nsupdate to do the chunking on itself. Patches are
always welcome, but if you can start by creating issue for us, it would be very
much welcome. I can’t offer you any timeframe, but at least it won’t get lost.
Ondrej
--
Ondřej Surý
ond...@isc.org
> On 1 Jun 2020,
On Mon, Jun 01, 2020 at 04:11:43AM -0400, vom513 wrote:
> Can anyone point me to an example of how to do this ? I have a script that
> rotates my DKIM keys, and uses nsupdate to publish. With 1024 bit - I must
> be getting by by the skin of my teeth…
>
> When I try 2048 bit
ignored by the primary
master. CLASS must be specified as NONE to distinguish this from an
RR addition. If no such RRs exist, then this Update RR will be
silently ignored by the primary master.
> On 1 Jun 2020, at 18:45, Petr Bena wrote:
>
> Hello,
>
> Is there any way t
Hello,
Is there any way to tell nsupdate to delete specific record with ANY TTL
value? For example I have following record:
record.domain.org 3500 A 1.2.3.4
I want to delete exactly that record (A with IP 1.2.3.4), except I don't
know what the TTL is, normally, if I knew the TTL, I wou
Hello,
Can anyone point me to an example of how to do this ? I have a script that
rotates my DKIM keys, and uses nsupdate to publish. With 1024 bit - I must be
getting by by the skin of my teeth…
When I try 2048 bit, the record is obviously longer. All of my attempts of
running it through
Mark Andrews wrote:
> > On 23 Apr 2020, at 07:20, Evan Hunt wrote:
> >
> > As far as I can recall, the only way to change a TTL in nsupdate is to
> > delete the whole RRset and then add it back in the same transaction:
There's actually a standard shortcut for TTL c
listed below. The UPDATE message is a bit larger but it is
robust.
Mark
> On 23/04/2020 01:06, Mark Andrews wrote:
>>
>>> On 23 Apr 2020, at 07:20, Evan Hunt wrote:
>>>
>>> On Wed, Apr 22, 2020 at 03:04:38PM -0600, @lbutlr via bind-users wrote:
>>&
will
have TTL overriden with the last one you add.
On 23/04/2020 01:06, Mark Andrews wrote:
On 23 Apr 2020, at 07:20, Evan Hunt wrote:
On Wed, Apr 22, 2020 at 03:04:38PM -0600, @lbutlr via bind-users wrote:
# nsupdate -k /path/to/key
zone example.com
ttl 3600
send
^d
No errors, but no chan
> On 23 Apr 2020, at 07:20, Evan Hunt wrote:
>
> On Wed, Apr 22, 2020 at 03:04:38PM -0600, @lbutlr via bind-users wrote:
>> # nsupdate -k /path/to/key
>>> zone example.com
>>> ttl 3600
>>> send
>>> ^d
>>
>> No errors, but no chan
On Wed, Apr 22, 2020 at 03:04:38PM -0600, @lbutlr via bind-users wrote:
> # nsupdate -k /path/to/key
> > zone example.com
> > ttl 3600
> > send
> > ^d
>
> No errors, but no change in the TTL.
"ttl 3600" just means "from now on assume I mean
What is the proper syntax gor changing the TTL on a zone with nsupdate?
Does the existence of $TTL 86400 in the domain.conf file override nssupdate’s
attempts to change the TTL?
# nsupdate -k /path/to/key
> zone example.com
> ttl 3600
> send
> ^d
No errors, but no change in the TT
Shumon Huque wrote:
>
> The implication is that "ignore" also means set the response code to
> NOERROR. Although, I suppose CNAME related UPDATE processing could have
> been special cased to return an error code like YXRRSET (even without a
> specified prerequisite clause).
Ah, yes, now you menti
I recently tried using dnspython to replay captured queries and found that
it refuses to do any "meta" queries, including "ANY". But since the real
world occasionally uses meta queries, I need to be able to make them. I
ended up using https://github.com/paulc/dnslib, but I don't see where that
ha
On Wed, Apr 1, 2020 at 8:36 AM Tony Finch wrote:
>
> This error behaviour is mostly specified by the UPDATE protocol (RFC
> 2136). It's worth reading the RFC becasue (as you have found) some of the
> behaviour is a bit surprising. For instance, adding a record that already
> exists is not an erro
your user interface was showing the user before
the user prepared the update.
> I am looking for a some alternative to nsupdate, that can achieve the
> same, but more machine friendly, like a "proper DNS library" you talk
> about, is there any such a thing?
The system I wo
Hi there,
On Wed, 1 Apr 2020, Petr Bena wrote:
... Is there any alternative to nsupdate, something that can work with XML
or JSON payloads or provide output in such machine parseable format? ...
If it's any help DNS::ZoneParse claims to be able to output XML - but
I don't have any
> GUI *1 that is basically a wrapper around dig and nsupdate that allows
> people with "less CLI knowledge" to easily manipulate DNS records. The
> main reason for this was that in our corporation we have about 400
> internal DNS zones hosted on over 100 different BIND mas
I would recommend dnspython as a start. The API is very non-Python,
but once you get hang of it, it’s not that bad.
Ondrej
--
Ondřej Surý
ond...@isc.org
> On 1 Apr 2020, at 15:21, Petr Bena wrote:
>
> like a "proper DNS library" you talk about, is there any such a thing?
signature.asc
Descr
mic
So I was hoping this can be achieved with the nsupdate, I guess the
prereq statement is what I need to work with, but as I said - parsing
the current output of nsupdate, especially that header from debug or
answer section, is just not very easy, and I wouldn't be surprised if
the fo
> On 1 Apr 2020, at 20:07, Petr Bena wrote:
>
> Hello,
>
> Some preamble: Some time ago I created an open source DNS admin web GUI *1
> that is basically a wrapper around dig and nsupdate that allows people with
> "less CLI knowledge" to easily manipulate D
Petr Bena wrote:
>
I think your approach of using standard protocols (DNS queries and
updages) to edit zones is very good!
> Is there any alternative to nsupdate, something that can work with XML
> or JSON payloads or provide output in such machine parseable format?
I've d
Hello,
Some preamble: Some time ago I created an open source DNS admin web GUI
*1 that is basically a wrapper around dig and nsupdate that allows
people with "less CLI knowledge" to easily manipulate DNS records. The
main reason for this was that in our corporation we have about 400
Thank you very much, this did the trick.
Have a nice day!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-user
mail-list-us...@materna.de wrote:
>
> server 127.0.0.1
> debug no
> zone testoverride
> update add zzz.google.de 604800 A 127.0.0.1
> send
The problem is that nsupdate needs fully-qualified domain names - you
can't omit the zone name like you can in zone files. So your s
Hello,
I try to update my RPZ Zone 'testoverride' with nsupdate.
Sadly I get only
127.0.0.1#56851: view public: updating zone 'testoverride/IN': update failed:
update RR is outside zone (NOTZONE)
as error message.
How do I update a RPZ zone with nsupdate? Do I miss someth
Hi Ondrej
On Wed, Jun 12, 2019 at 04:08:20PM +0200, Ondřej Surý wrote:
> Hey list,
>
> I believe this needs addressing from the BIND team.
>
> > * readline is GPL
>
> BIND 9 supports compilation with libedit which is 99% drop-in replacement
> since 2015 (017cbd44).
I had mentioned libedit in m
Hey list,
I believe this needs addressing from the BIND team.
> * readline is GPL
BIND 9 supports compilation with libedit which is 99% drop-in replacement
since 2015 (017cbd44).
The well-established open-source distributions are well aware of the readline
firm stand on the GPL vs LGPL for the
Mukund Sivaraman wrote:
> On Tue, Jun 11, 2019 at 10:03:30AM -0400, Warren Kumari wrote:
> >
> > I manually use nsupdate to make some changes to some of my zones -
> > most recently I had to add a bunch of reverse DNS records. These are
> > all very similar - the first
On Tue, Jun 11, 2019 at 10:59 AM Mukund Sivaraman wrote:
>
> On Tue, Jun 11, 2019 at 10:03:30AM -0400, Warren Kumari wrote:
> > Hi there all,
> >
> > I manually use nsupdate to make some changes to some of my zones -
> > most recently I had to add a bunch of reverse
On Tue, Jun 11, 2019 at 10:03:30AM -0400, Warren Kumari wrote:
> Hi there all,
>
> I manually use nsupdate to make some changes to some of my zones -
> most recently I had to add a bunch of reverse DNS records. These are
> all very similar - the first octet changes, and then
Hi there all,
I manually use nsupdate to make some changes to some of my zones -
most recently I had to add a bunch of reverse DNS records. These are
all very similar - the first octet changes, and then the target name
changes. Unfortuniatly nsupdate doesn't support readline, and so the
ob
@lbutlr wrote:
>
> If I remove "update-policy local; " the nsupdate works, but it seems
> like it should have worked with the update-policy since I was in fact
> local to the bind server.
The "local" keyword enables server-side support for `nsupdate -l`, which
m
};
};
gives "'allow-update' is ignored when 'update-policy' is present" when I load
the conf file.
If I remove "update-policy local; " the nsupdate works, but it seems like it
should have worked with the update-policy since I was in fact local to the bind
serv
On 20 May 2019, at 16:21, Noel Butler wrote:
>allow-update { key "keyname"; };
Ah, no I did not. The instructions I found, as I mentioned in a later post,
were to add grant dons-key. iOS this a change in 9.14, because I did not have
to do this in 9.12?
> and nsLOOKUP ?
Just a thinko.
ng, or you should be using or at least meant
to say, nsUPDATE
On 20/05/2019 10:27, @lbutlr wrote:
> Trying to update some DNS under a relatively newly installed bin 9.14 with
> nsupdate.
>
> I have a file admin.key that looks basically like this:
> key "rndc-key" {
&
On 19 May 2019, at 18:27, @lbutlr wrote:
> This is the same key block that is in named.conf. I am launching NSLOOKUP
> with -k admin.key, but when I try to make a change and then "send", I get
> "update failed: REFUSED."
I found a page that recommended adding a ddns-key and then adding "grant
The most obvious thing is to look at the zone and see if that key is
included in an allow-update statement for the zone.
Bob
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-u
Trying to update some DNS under a relatively newly installed bin 9.14 with
nsupdate.
I have a file admin.key that looks basically like this:
key "rndc-key" {
algorithm hmac-sha256;
secret "SECRETSTUFF=";
};
This is the same key block that is in named.conf. I a
On 03/14/2019 04:40 AM, Niall O'Reilly wrote:
> On 14 Mar 2019, at 5:17, Marc Chamberlin via bind-users wrote:
>
>> On 03/13/2019 08:33 PM, John W. Blue wrote:
>>> As an option, instead of including /etc/rndc.key nothing prevents you
>>> from including rndc.conf. That way you are consistent with y
1 - 100 of 347 matches
Mail list logo
