Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 04-08-2009, 06:39 PM   #1
LQ Newbie
Registered: Oct 2004
Posts: 8

Rep: Reputation: 0
bind / nsupdate / REFUSED!

I've been monkeying with this for a few days now and have worn a long spot on my head from scratching it so often.

The server in question runs Fedora Core 9 (kernel- and bind (bind-9.5.0-35.P2.fc9.i386) and runs in a jail (/var/named/chroot/var/named) for security reasons.

I have one node that unfortunately has a dynamic IP so every time it connects it will have to update our DNS server with it's new IP.

In the /etc/named.conf file, I added the following:

include "/var/named/keys/client-keys.conf";

zone "" {
     type master;
     file "/var/named/dynamic/";
     allow-update { key; };
     allow-transfer { any; };
     allow-query { any; };
Then I created a /var/named/keys/client-keys.conf:

key {
     algorithm HMAC-MD5;
     secret "gobblygook";
"gobblygook" was taken out of the file, which is the public key in the generated pair. Cut and pasted to ensure it's identical.

then in the /var/named/dynamic directory I created a new file named

$TTL 3600       ; 1 hour IN SOA (
                                2000010105 ; serial
                                3600       ; refresh (1 hour)
                                600        ; retry (10 minutes)
                                7200       ; expire (2 hours)
                                3600       ; minimum (1 hour)
I then treated that file to a "chown named:named" to make sure named can see and modify the file.

Finally, I created a directory (/root/dns) and tossed in the two keyfiles (floater.blah blah.key and flaoter.blah blah.private), and two files I created to test.

a data file for nsupdate (

update delete A
update add 3600 A
and of course a script file to execute nsupdate (updatedns):

nsupdate -k /root/dns/
This is the point I got after days of fine tuning things trying to get this to work correctly, but alas my /var/log/message log contains nothing but these:

Apr  8 19:33:22 d1 named[20620]: client <publicIP>#48269: view external: signer "" denied
Apr  8 19:33:22 d1 named[20620]: client <publicIP>#48269: view external: update '' denied
I know bind is very picky about semi-colons and periods, so I combed through everything several times and for my entertainment, removed periods after the in various places then ultimately put them back.

Anyone have any idea why bind refuses to accept an update?

I thought I was being clever by changing the "allow-update { key; };" to "allow-update { any; };" however I got the same result.

So my friends, I would like to buy a clue ;-)



Last edited by midiguy732; 04-08-2009 at 07:06 PM.
Old 04-09-2009, 04:09 AM   #2
LQ Guru
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,819

Rep: Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591
Apr 8 19:33:22 d1 named[20620]: client <publicIP>#48269: view external: signer "" denied
Apr 8 19:33:22 d1 named[20620]: client <publicIP>#48269: view external: update '' denied
I've never seen the 1st error, but the second one means that you're trying to update a zone within an external view from a host not belonging in the acl for the external view. Try to do this from a different host (better outside your network) and see if it works.
Now regarding the 1st error, maybe you used the wrong name in dnssec-keygen to create the key-pair. Use something like:
dnssec-keygen -b 512 -a HMAC-MD5 -v 2 -n HOST
Lastly I don't think it's a semicolon/period problem but maybe it's worth to include the key name in double quotes:
allow-update { key ""; };


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Bind 9 rndc connection refused. 360 Linux - Networking 2 10-15-2010 02:47 PM
BIND - Unexpected RCODE (SERVFAIL/REFUSED) errors beerfest Linux - Server 4 05-02-2008 01:26 PM
DDNS and nsupdate update failed SERVFAIL adi1891 Linux - Networking 1 03-08-2006 03:54 PM
Dynamic DHCP/BIND Connection refused problem aglock Linux - Networking 4 04-28-2004 07:43 AM
failed while receiving responses: REFUSED on SLAVE with BIND 9.2.2 cccc Linux - Networking 9 10-07-2003 08:00 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:22 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration