I have a Bind9 DNS server running (and working!). All the zones were managed manually. I now want to change a zone to be updated automatically. After setting things up i tried nsupdate but it fails with "refused". I have no idea why that is the case.
Configuration: rndc.key is included in named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/rndc.key";
i also added allow update statement to my named.conf.local AND made sure that the zone file is in /var/lib/bind
root@ns1:/etc/bind# cat named.conf.local
zone "somedomain.com" {
type master;
file "/var/lib/bind/db.somedomain.com";
#update-policy {grant "rndc.key" zonesub ANY;} ;
allow-update { key rndc.key;};
allow-transfer { some IP; };
};
The key exists:
root@ns1:/etc/bind# cat rndc.key
key "rndc-key" {
algorithm hmac-md5;
secret "<secret>";
};
But when i try to update vie nsupdate from localhost it refuses it.
root@ns1:/etc/bind# nsupdate
> server localhost
> key rndc-key <secret>
> zone somedomain.com
> update add test.somedomain.com. 600 IN A someIP
> send
update failed: REFUSED
syslog also didnt help me much
May 24 22:37:20 ns1 named[30755]: client @0x7f1f8c0e3840 127.0.0.1#27482/key rndc-key: signer "rndc-key" denied
May 24 22:37:20 ns1 named[30755]: client @0x7f1f8c0e3840 127.0.0.1#27482/key rndc-key: update 'somedomain.com/IN' denied
May 24 22:38:09 ns1 named[30755]: resolver priming query complete
May 24 22:38:38 ns1 named[30755]: resolver priming query complete
i copy and pasted the key so there should be no typo. These are all original terminal outputs, just domains and IPs changed.
