key-restricted nsupdate of internal view's zone's host REFUSED with 'signer "" denied' ?

PGNd Tue, 26 May 2015 08:56:15 -0700

I run

        named -v
                BIND 9.10.2


in split-horizon mode with two views

        view "internal" {
        view "external" {

For a single zone

        MYDOMAIN.com

I'm targeting two hostnames in the zone

                       test.MYDOMAIN.com
              external.test.MYDOMAIN.com

for dynamic updates.  At any given time, the A records should return

        view=internal:
                dig A test.MYDOMAIN.com +short
                        A.B.C.D
                dig A external.test.MYDOMAIN.com +short
                        10.1.1.14

        view=external:
                dig A test.MYDOMAIN.com +short
                        A.B.C.D
                dig A external.test.MYDOMAIN.com +short
                        A.B.C.D

I want to dynamically update A.B.C.D, using 'nsupdate'.  I.e., I'll update

        internal: external.test.MYDOMAIN.com
        external:          test.MYDOMAIN.com
        external: external.test.MYDOMAIN.com

In my dns conf

        cat named.conf
                ...
                acl presgrp_internal { localhost; 10.1.1.0/24; 
2001:xxx:xxxx:xxx::/64; };
                ...
                view "internal" {
                  match-clients { key test-key; presgrp_internal; };
                ...
                  zone "MYDOMAIN.com" {
                    type master; file 
"/namedb/master/internal.MYDOMAIN.com.zone";
                    update-policy {  
                      grant brahms-rndc-key zonesub ANY;  
                      grant test-key name external.test.MYDOMAIN.com ANY;
                    };
                  };
                ...
                view "external" {    
                  match-clients { key test-key; any; };
                ...
                  zone "MYDOMAIN.com" IN {
                    type master; file "/namedb/master/MYDOMAIN.com.zone";
                    update-policy {
                      grant test-key name          test.MYDOMAIN.com ANY;
                      grant test-key name external.test.MYDOMAIN.com ANY;
                    };
                  };
                ...

I have an update script 

        cat dyn-update.sh
                #!/bin/sh
                IP=$1

                NSUPDATE="/usr/local/bind9/bin/nsupdate"
                RNDC="/usr/local/bind9/sbin/rndc"
                KEYFILE="/usr/local/etc/named/keys/test.rndc.key"

                SERVER="2001:xxx:xxxx:xxx::100"
                ZONE="MYDOMAIN.com"
                HOST="test"

                cat <<EOF | ${NSUPDATE} -k ${KEYFILE} -v
                server ${SERVER}
                zone ${ZONE}
                local ::1
                update delete          ${HOST}.${ZONE}. ANY
                update delete external.${HOST}.${ZONE}. ANY
                update add             ${HOST}.${ZONE}. 5 A ${IP}
                update add    external.${HOST}.${ZONE}. 5 A ${IP}
                update add             ${HOST}.${ZONE}. 5 TXT "Updated on 
$(date)"
                update add    external.${HOST}.${ZONE}. 5 TXT "Updated on 
$(date)"
                show
                send
                EOF

                ${RNDC} reload

where

        cat /usr/local/etc/named/keys/test.rndc.key
                key "test-key" {
                  algorithm hmac-md5;
                  secret "gcNd3eCe87cc3FefDD8e5Z==";
                };

On exec of the update script

        sh dyn-update.sh 11.22.33.44
                Outgoing update query:
                ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
                ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
                ;; ZONE SECTION:
                ;MYDOMAIN.com.                 IN      SOA

                ;; UPDATE SECTION:
                test.MYDOMAIN.com. 0       ANY     ANY
                external.test.MYDOMAIN.com. 0 ANY  ANY
                test.MYDOMAIN.com. 5       IN      A       11.22.33.44
                external.test.MYDOMAIN.com. 5 IN   A       11.22.33.44
                test.MYDOMAIN.com. 5       IN      TXT     "Updated on Tue May 
26 08:25:40 PDT 2015"
                external.test.MYDOMAIN.com. 5 IN   TXT     "Updated on Tue May 
26 08:25:40 PDT 2015"

                update failed: REFUSED
                server reload successful

The update's "REFUSED".  With log config @ debug verbosity

        ...
        logging {
        ...
          channel loglevel_debug {
            syslog; print-category yes; print-severity yes; print-time yes;
            severity debug;
          };
        ...
          category update-security { loglevel_debug;   };
        ...

logs show only

        May 26 08:25:40 brahms named[29655]: 26-May-2015 08:25:40.829 
update-security: info: client ::1#56064/key test-key: view internal: signer 
"test-key" denied
        May 26 08:25:40 brahms named[29655]: 26-May-2015 08:25:40.829 
update-security: error: client ::1#56064/key test-key: view internal: update 
'MYDOMAIN.com/IN' denied

Why is that update being denied?  Likely I've misconfigured ... but what?

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

key-restricted nsupdate of internal view's zone's host REFUSED with 'signer "" denied' ?

Reply via email to