On Thu, Feb 17, 2011 at 04:37:48PM +1100, Kyle wrote: > 'domain1.com' is obfuscated from the real value. But rest assured I am > being painstakingly anal in ensuring the values are the same including > the 'key name' in named and dhcpd being exactly the same as used in the > dnssec-keygen command.
OK, I just wanted to be sure, because the only way I've been able to reproduce similar symptoms to yours was by using a different name. > [root@server3 etc]# rndc reload > server reload successful I thought this might provide a clue, but I've tested it on my server here and rndc seems to work even if the key it's told to use is not authorised. Oh well. > Reply from update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id: 2442 > ;; flags: qr ra ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 > ;; TSIG PSEUDOSECTION: > domain1.com. 0 ANY TSIG hmac-md5.sig-alg.reg.int. > 1297920682 300 16 <anotherSecretHere> 2442 NOERROR 0 Now this is slightly different to anything I've been able to reproduce. If I give it the wrong key I see "BADKEY" in that last line instead of "NOERROR". This is just a guess because I've pretty much hit the limits of my knowledge, and I've never used BIND's views, but could it be something to do with the different views you've configured? You're trying to do the update from localhost, so that matches the view "localhost_resolver", but updates aren't allowed in that view configuration. Updates are allowed in the view "internal", which also matches localhost, but I wonder if BIND is simply using the first match and thus disallowing updates? John -- Vs lbh'er ernqvat guvf, lbh ernyyl bhtug gb trg bhg zber -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
