Hi Michal, thanks for the reply and sorry for the delay on my end. I've started a fresh install here and started over and still having the same issue, even when I crank the debug trace up to 5, I'm not seeing anything additional in the logs:
08-Jun-2018 14:56:50.281 update-security: info: client 127.0.0.1#32983/key rpz-update: signer "rpz-update" denied 08-Jun-2018 14:56:50.281 update-security: error: client 127.0.0.1#32983/key rpz-update: update 'test.rpz/IN' denied I've also tried taking the allow-update out of the zone statement and moving it back up globally, and trying both (defining it globally and in the zone) because I remembered bug #46603 (kinda sorta in the ballpark) - but no dice there either. - mark On 2018-06-04 4:58 AM, Michał Kępień wrote: > Hi Mark, > >> Jun 1 20:19:34 rpz0 named[30999]: client 127.0.0.1#64585/key >> dns-update: signer "dns-update" denied >> Jun 1 20:19:34 rpz0 named[30999]: client 127.0.0.1#64585/key >> dns-update: update 'test.rpz/IN' denied >> >> What am I missing here? > Interesting, you do not seem to be missing anything: this works as > expected for me (i.e. the update is allowed) on a fresh Debian 9 VM. > > AFAICT without looking at your entire configuration, in order for both > of the log messages you quoted to be generated, named would need to > recognize the key used for signing the request (otherwise you would get > a BADKEY response), but not allow it to update the relevant zone. > Perhaps a long shot, but is there any chance there are non-ASCII > characters in your configuration file, like some Unicode variant of the > hyphen character (‐, ‑, ‒, etc.)? If not, could you please bump the > debug level to at least 3, retry, and paste the log messages generated? > Please also feel free to open an issue at https://gitlab.isc.org. > -- Mark E. Jeftovic <mar...@easydns.com> Co-founder & CEO, easyDNS Technologies Inc. +1-(416)-535-8672 x 225 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users