[SOLVED] update-security error in /var/log/named.log

techmom50 · 09-09-2013, 04:50 PM

This is the error I am getting I understand it has to do with ddns but no matter what I try on my DHCPd.conf file for DDNS it will not work.

Code:

09-Sep-2013 12:36:11.239 general: info: managed-keys-zone: loaded serial 11
09-Sep-2013 12:36:11.239 general: info: Initializing GeoIP Country DB
09-Sep-2013 12:36:11.239 general: info: GEO-106FREE 20130219 Build 1 Copyright (c) 2012 MaxMind Inc All Rights Reserved
09-Sep-2013 12:36:11.239 general: info: GeoIP City DB Revision 0 or 1 not available
09-Sep-2013 12:36:11.239 general: info: GeoIP Region DB Revision 0 or 1 not available
09-Sep-2013 12:36:11.239 general: info: GeoIP ISP DB not available
09-Sep-2013 12:36:11.239 general: info: GeoIP Organization DB not available
09-Sep-2013 12:36:11.239 general: info: Initializing GeoIP AS DB
09-Sep-2013 12:36:11.239 general: info: GEO-117 20130401 Build 1 Copyright (c) 2013 MaxMind Inc All Rights Reserved
09-Sep-2013 12:36:11.239 general: info: GeoIP NetSpeed DB not available
09-Sep-2013 12:36:11.239 general: info: GeoIP Domain DB not available
09-Sep-2013 12:36:11.239 general: info: Initializing GeoIP Country DB IPv6
09-Sep-2013 12:36:11.239 general: info: GEO-106FREE 20130305 Build 1 Copyright (c) 2012 MaxMind Inc All Rights Reserved
09-Sep-2013 12:36:11.239 general: info: zone 127.in-addr.arpa/IN: loaded serial 61220135
09-Sep-2013 12:36:11.240 general: info: zone localhost/IN: loaded serial 61220137
09-Sep-2013 12:36:11.241 general: info: zone 1.168.192.in-addr.arpa/IN: loaded serial 612201320
09-Sep-2013 12:36:11.241 general: info: zone pacificcabinets.com/IN: loaded serial 612201315
09-Sep-2013 12:36:11.242 general: notice: all zones loaded
09-Sep-2013 12:36:11.242 general: notice: running
09-Sep-2013 12:36:11.242 notify: info: zone 1.168.192.in-addr.arpa/IN: sending notifies (serial 612201320)
09-Sep-2013 12:36:11.242 notify: info: zone pacificcabinets.com/IN: sending notifies (serial 612201315)
09-Sep-2013 12:39:38.758 update-security: info: client 192.168.1.50#60194/key rndc-key: signer "rndc-key" denied

This error also appears in my daemon.log

Code:

Sep  9 12:49:39 tux dhcpd: Unable to add reverse map from 90.1.168.192.1.168.192.in-addr.arpa. to KUDU.PacificCabinets.com: REFUSED

dhcpd.conf file

Code:

# Use this to enble / disable dynamic dns updates globally.
ddns-update-style interim;
ddns-updates on;
ddns-domainname "mydomain.com";
ddns-rev-domainname "1.168.192.in-addr.arpa.";
#include "etc/bind/rndc.key";

key     rndc-key {
        algorithm hmac-md5;
        secret "secret";
}
zone    PacificCabinets.com {
        primary 192.168.1.50;
        key "rndc-key";
}
zone    1.168.192.in-addr.arpa {
        primary 192.168.1.50;
        key "rndc-key";
}
zone    127.in-addr.arpa {
        primary 127.0.0.1;
        key "rndc-key";
}
deny unknown-clients;
allow bootp;
# If this DHCP server is the official DHCP server for the local network, the authoritative directive should be uncommented.
#authoritative;

# A slightly different configuration for an internal subnet.
subnet 192.168.1.0 netmask 255.255.255.0 {
  range 192.168.1.120 192.168.1.219;
  option domain-name-servers 192.168.1.50;
  option domain-name "mydomain.com";
  option routers 192.168.1.52;
  option broadcast-address 192.168.1.255;
  default-lease-time 600;
  max-lease-time 1800;
  option nntp-server 192.168.1.53;
  option netbios-name-servers 192.168.1.50;
  option netbios-node-type 8;
}

# Fixed IP addresses can also be specified for hosts.   These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP.   Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.

# COMPUTERS
host kudu {
hardware ethernet 00:19:7D:1E:15:42;
fixed-address 192.168.1.90;
}

192.168.1.rev zone file

Code:

$TTL 1D
$ORIGIN 1.168.192.in-addr.arpa.
@                       IN SOA  ns.pacificcabinets.com. root.pacificcabinets.com.(
                        0612201320     ; serial
                        3H              ; refresh
                        15M             ; retry
                        1W              ; expiry
                        1D )            ; minimum

@                       IN NS   tux.pacificcabinets.com.
50                      IN PTR  tux.pacificcabinets.com.

zhjim · 09-11-2013, 02:39 AM

First and for most I would change your post and remove the actual key value from your post also the ddns-domainname might not be wise to be shown online. Take care to not give away to many infos. Also I doubt that this is really serious who really knows.

On to rescue now:

Code:

09-Sep-2013 12:39:38.758 update-security: info: client 192.168.1.50#60194/key rndc-key: signer "rndc-key" denied

Your key is not accepted by the DNS server. For ddns to work the key of the dhcp and the dns server have to match. Best bet would be to copy the values from the dns server configuration over to the dhcp configuration. Due to the dns server creating it first hand.

techmom50 · 09-11-2013, 11:35 AM

First thank you for the heads up I have edited what you suggested on my post. I have copied the contents from the rndc.key from my /etc/bind/rndc.key into the DHCP.CONF since this post I have done some tweeks on my files to rule out certain things. Seems as soon as I moved my rndc.key file into the /etc directory and change the paths in the NAMED.conf to reflect the change it is somewhat working. I now think this is a permissions issue as the new error message is

Code:

11-Sep-2013 08:43:08.011 general: error: /var/bind/pri/pacificcabinets.zone.jnl: create: permission denied
11-Sep-2013 08:43:08.011 update: info: client 192.168.1.50#51069/key rndc-key: updating zone 'pacificcabinets.com/IN': error: journal open failed: unexpecte$
11-Sep-2013 08:48:08.095 update-security: info: client 192.168.1.50#51069/key rndc-key: signer "rndc-key" approved

So now it seems my permissions need to be fixed on my /var/bind/pri directory so it can create the jnl file

Code:

tux pri # ls -ld /var/bind/pri
drwxr-x--- 3 root named 4096 Sep  4 23:03 /var/bind/pri
tux pri # ls -ld /var/bind/
drwxrwx--- 5 root named 4096 Sep 11 08:39 /var/bind/

techmom50 · 09-11-2013, 02:45 PM

I needed to set permission for the directory /var/bind/pri to rwx

zhjim · 09-12-2013, 01:44 AM

There we go. DDNS has some tripwires layed out. Grant you got it solved. So please mark your thread as solved through the "Thread Tools" at the start of the page.