I've been monkeying with this for a few days now and have worn a long spot on my head from scratching it so often.
The server in question runs Fedora Core 9 (kernel-2.6.26.6-79.fc9.i686) and bind (bind-9.5.0-35.P2.fc9.i386) and runs in a jail (/var/named/chroot/var/named) for security reasons.
I have one node that unfortunately has a dynamic IP so every time it connects it will have to update our DNS server with it's new IP.
In the /etc/named.conf file, I added the following:
Code:
include "/var/named/keys/client-keys.conf";
zone "floater.mydomain.com" {
type master;
file "/var/named/dynamic/floater.mydomain.com";
allow-update { key floater.mydomain.com.; };
allow-transfer { any; };
allow-query { any; };
};
Then I created a /var/named/keys/client-keys.conf:
Code:
key floater.mydomain.com. {
algorithm HMAC-MD5;
secret "gobblygook";
};
"gobblygook" was taken out of the Kfloater.mydomain.com.+157+03803.key file, which is the public key in the generated pair. Cut and pasted to ensure it's identical.
then in the /var/named/dynamic directory I created a new file named floater.mydomain.com:
Code:
$ORIGIN .
$TTL 3600 ; 1 hour
floater.mydomain.com IN SOA ns1.mydomain.com. webmaster.mydomain.com. (
2000010105 ; serial
3600 ; refresh (1 hour)
600 ; retry (10 minutes)
7200 ; expire (2 hours)
3600 ; minimum (1 hour)
)
NS ns1.mydomain.com.
A 127.0.0.1
I then treated that file to a "chown named:named floater.mydomain.com" to make sure named can see and modify the file.
Finally, I created a directory (/root/dns) and tossed in the two keyfiles (floater.blah blah.key and flaoter.blah blah.private), and two files I created to test.
a data file for nsupdate (updatedns.data)
Code:
server ns1.mydomain.com
zone floater.mydomain.com
update delete floater.mydomain.com. A
update add floater.mydomain.com. 3600 A 10.16.0.1
send
and of course a script file to execute nsupdate (updatedns):
Code:
nsupdate -k /root/dns/Kfloater.mydomain.com.+157+03803.private updatedns.data
This is the point I got after days of fine tuning things trying to get this to work correctly, but alas my /var/log/message log contains nothing but these:
Code:
Apr 8 19:33:22 d1 named[20620]: client <publicIP>#48269: view external: signer "floater.mydomain.com" denied
Apr 8 19:33:22 d1 named[20620]: client <publicIP>#48269: view external: update 'floater.mydomain.com/IN' denied
I know bind is very picky about semi-colons and periods, so I combed through everything several times and for my entertainment, removed periods after the floater.mydomain.com in various places then ultimately put them back.
Anyone have any idea why bind refuses to accept an update?
I thought I was being clever by changing the "allow-update { key floater.mydomain.com.; };" to "allow-update { any; };" however I got the same result.
So my friends, I would like to buy a clue ;-)
Regards,
Frederic
