bind 9.11 with views and also-notify with keys: slaves receive notifications with wrong keys

Question

Example error message from a slave shows notification for view avcan received with key vpn

May 21 06:37:09 dns5.iciti named[614]: client @0x7f3f0c8472b0 192.168.8.54#49401/key vpn: view avcan: received notify for zone '8.16.172.in-addr.arpa': TSIG 'vpn': not authoritative

named.conf.options has

notify explicit;

named.conf.local has

acl vpn {
    !key avcan;
    key vpn;
    172.16.0.0/12;
};
acl avcan { 
    !key vpn;
    key avcan;
    10.10.0.0/16;
    ...
};

key "avcan" {
    algorithm HMAC-SHA512;
    secret "<redacted>";
};
key "vpn" {
    algorithm HMAC-SHA512;
    secret "<redacted>";
}

...

view avcan {
    match-clients { avcan; };
    also-notify {
        192.168.8.55 key avcan;
        ...
    };
--
view vpn {
    match-clients { vpn; };
    also-notify {
        192.168.8.55 key vpn;
        ...
    };

If I understand how also-notify works, the master should send notifications for view avcan with key avcan but the error messages from the slaves show it is also sending notifications with key vpn

score 0 · Answer 1 · answered Jun 15 '20 at 12:49

0

My bad. The master had acl stanzas as shown above. The slaves were missing the !key lines. Sorry for the noise. Maybe it helps somebody.

answered Jun 15 '20 at 12:49

catkin

1
1
1

bind 9.11 with views and also-notify with keys: slaves receive notifications with wrong keys

1 Answers1