From Newsgroup: comp.protocols.dns.bind
--0000000000004bab1805a597173b
Content-Type: text/plain; charset="UTF-8"
Bob
after a few wireshark sessions etc we have identified this issue is due to
NAT from one of the sites we are sorting this out now and hopefully it
should fix
thanks for your help
On Wed, 13 May 2020 at 13:30, Bob Harold <
rharolde@umich.edu> wrote:
On Wed, May 13, 2020 at 3:20 AM Pete Fry <cadel2010@googlemail.com> wrote:
Bob
thanks for the reply and the correction ( the acl dones't have a ! it was
a cut and paste error when i was trying to remove some information.
the TSIG works when from other linux machine via nsupdate etc, however
i'm trying to figure out how to get the windows machines to do the same and >> was trying to follow this
http://serverfault.com/questions/376578/bind9-combining-key-and-acl-for-
allow-update
Regards
Pete
Your ACL looks right. I think Ben has the key - Windows uses GSS-TSIG,
not regular TSIG. Not sure how or if that can be solved.
--
Bob Harold
On Tue, 12 May 2020 at 13:40, Bob Harold <rharolde@umich.edu> wrote:
On Tue, May 12, 2020 at 5:57 AM Pete Fry via bind-users <
bind-users@lists.isc.org> wrote:
All
I've inherited a BIND environment and i'm trying to understand a few
things as currently we are experiences an issue related to DDNS.
we have
site 1
hostA
site 2
hostB
We have a HArecord, and we want HostA or HostB to be able to update the >>>> HArecord (i.e. failover cluster type configuration)
config:
Zone file:
zone "TEST" {
check-names ignore;
type master;
file "/var/named/dynamic/TEST";
allow-update {
auth-dns;
dynamic-TEST;
};
};
lists.conf
acl dynamic-update-ads {
192.168.2.1 // hostA
192.168.5.1 // hostB
dynamic-TEST-tsig;
};
acl dynamic-TEST-tsig {
// any host which is not..
!{
// not in the new acls
!dynamic-test-site1;
!dynamic-test-site2;
any;
};
// but has the key
key TEST-key;
};
For testing purposes, start with a simpler acl, like:
acl dynamic-TEST-tsig {
key TEST-key;
};
And see if that works.
acl !dynamic-test-site1 {
192.168.2.1/32; // HostA
};
acl !dynamic-test-site2 {
192.168.5.1/32; // HostB
};
"acl !" seems wrong to me. Is that a legal syntax? And if so, what
does it mean?
--
Bob Harold
however these windows machines keep saying bad key, I know i'm missing something obvious but how do i get this to work?
happy to be able to give the key to the windows boxes if anyone knows but i'm drawing a blank
Regards
Cade
--0000000000004bab1805a597173b
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Bob<div><br></div><div>after a few wireshark sessions etc =
we have identified=C2=A0this issue=C2=A0is due to NAT from one of the sites=
we are sorting this out now and hopefully it should fix</div><div><br></di= v><div>thanks for your help</div></div><br><div class=3D"gmail_quote"><div = dir=3D"ltr" class=3D"gmail_attr">On Wed, 13 May 2020 at 13:30, Bob Harold &= lt;<a href=3D"mailto:
rharolde@umich.edu">
rharolde@umich.edu</a>> wrote:<= br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8e= x;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"= ><div dir=3D"ltr"><br></div><div class=3D"gmail_quote"><div dir=3D"ltr" cla= ss=3D"gmail_attr">On Wed, May 13, 2020 at 3:20 AM Pete Fry <<a href=3D"m= ailto:
cadel2010@googlemail.com" target=3D"_blank">
cadel2010@googlemail.com<= /a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0=
px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><= div dir=3D"ltr">Bob<div>thanks for the reply and the correction ( the acl d= ones't=C2=A0have a ! it was a cut and paste error when i was trying to = remove some information.</div><div><br></div><div>the TSIG works when from = other linux machine via nsupdate etc, however i'm trying to figure out = how to get the windows machines to do the same and was trying to follow thi= s</div><div><br></div><div><code><span>http</span>://<span>serverfault</spa= n>.<span>com</span>/<span>questions</span>/<span>376578</span>/<span>bind9<= /span>-<span>combining</span>-<span>key</span>-<span>and</span>-<span>acl</= span>-<span>for</span>-<span>allow</span>-<span>update</span></code>=C2=A0<= /div><div><br></div><div>Regards</div><div><br></div><div>Pete=C2=A0</div><= /div></blockquote><div><br></div><div><br></div><div>Your ACL looks right.= =C2=A0 I think Ben has the key - Windows uses GSS-TSIG, not regular TSIG.= =C2=A0 Not sure how or if that can be solved.</div><div><br></div><div>--= =C2=A0</div><div>Bob Harold</div><div><br></div><div>=C2=A0</div><blockquot=
e class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px s= olid rgb(204,204,204);padding-left:1ex"><div class=3D"gmail_quote"><div dir= =3D"ltr" class=3D"gmail_attr">On Tue, 12 May 2020 at 13:40, Bob Harold <=
<a href=3D"mailto:
rharolde@umich.edu" target=3D"_blank">
rharolde@umich.edu<= /a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0=
px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><= div dir=3D"ltr"><div dir=3D"ltr"><br></div><div class=3D"gmail_quote"><div = dir=3D"ltr" class=3D"gmail_attr">On Tue, May 12, 2020 at 5:57 AM Pete Fry v=
ia bind-users <<a href=3D"mailto:
bind-users@lists.isc.org" target=3D"_bl= ank">
bind-users@lists.isc.org</a>> wrote:<br></div><blockquote class=3D"= gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(20= 4,204,204);padding-left:1ex"><div dir=3D"ltr">All<div><br></div><div>I'=
ve inherited a BIND environment=C2=A0and i'm trying to understand a few=
things as currently we are experiences an issue related to DDNS.</div><div= ><br></div><div>we have=C2=A0</div><div><br></div><div>site 1</div><div><di=
v style=3D"box-sizing:border-box;font-family:"Segoe UI",system-ui= ,"Apple Color Emoji","Segoe UI Emoji",sans-serif;font-s= ize:14px">hostA</div><div style=3D"box-sizing:border-box;font-family:"= Segoe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji= ",sans-serif;font-size:14px"><br></div><div style=3D"box-sizing:border= -box;font-family:"Segoe UI",system-ui,"Apple Color Emoji&quo= t;,"Segoe UI Emoji",sans-serif;font-size:14px">site 2</div><div s= tyle=3D"box-sizing:border-box;font-family:"Segoe UI",system-ui,&q= uot;Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size= :14px">hostB</div><div style=3D"box-sizing:border-box;font-family:"Seg=
oe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji&qu= ot;,sans-serif;font-size:14px"><br></div><div style=3D"box-sizing:border-bo= x;font-family:"Segoe UI",system-ui,"Apple Color Emoji",= "Segoe UI Emoji",sans-serif;font-size:14px">We have a HArecord, a=
nd we want HostA or HostB to be able to update the HArecord=C2=A0(i.e. fail= over cluster type configuration)</div></div><div style=3D"box-sizing:border= -box;font-family:"Segoe UI",system-ui,"Apple Color Emoji&quo= t;,"Segoe UI Emoji",sans-serif;font-size:14px"><br></div><div sty= le=3D"box-sizing:border-box;font-family:"Segoe UI",system-ui,&quo= t;Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:1= 4px">config:</div><div style=3D"box-sizing:border-box;font-family:"Seg=
oe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji&qu= ot;,sans-serif;font-size:14px">Zone file:</div><div style=3D"box-sizing:bor= der-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji&= quot;,"Segoe UI Emoji",sans-serif;font-size:14px"><br></div><div = style=3D"box-sizing:border-box;font-family:"Segoe UI",system-ui,&= quot;Apple Color Emoji","Segoe UI Emoji",sans-serif;font-siz= e:14px">zone "TEST" {<br>=C2=A0 =C2=A0 check-names ignore;<br>=C2= =A0 =C2=A0 type master;<br>=C2=A0 =C2=A0 file "/var/named/dynamic/TEST= ";<br>=C2=A0 =C2=A0 allow-update {<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 auth= -dns;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 dynamic-TEST;<br>=C2=A0 =C2=A0 };<br>}= ;<br></div><div style=3D"box-sizing:border-box;font-family:"Segoe UI&q= uot;,system-ui,"Apple Color Emoji","Segoe UI Emoji",san= s-serif;font-size:14px"><br></div><div style=3D"box-sizing:border-box;font-= family:"Segoe UI",system-ui,"Apple Color Emoji","S= egoe UI Emoji",sans-serif;font-size:14px">lists.conf</div><div style= =3D"box-sizing:border-box;font-family:"Segoe UI",system-ui,"= Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14p= x"><br></div><div style=3D"box-sizing:border-box;font-family:"Segoe UI= ",system-ui,"Apple Color Emoji","Segoe UI Emoji",s= ans-serif;font-size:14px">acl dynamic-update-ads { <br>=C2=A0 =C2=A0192.168=
.2.1 // hostA<br>=C2=A0 =C2=A0192.168.5.1 // hostB <br>=C2=A0 =C2=A0dynami=
c-TEST-tsig; <br>};<br></div><div style=3D"box-sizing:border-box;font-famil= y:"Segoe UI",system-ui,"Apple Color Emoji","Segoe =
UI Emoji",sans-serif;font-size:14px"><br></div><div style=3D"box-sizin= g:border-box;font-family:"Segoe UI",system-ui,"Apple Color E= moji","Segoe UI Emoji",sans-serif;font-size:14px">acl dynami= c-TEST-tsig {<br>=C2=A0 =C2=A0// any host which is not..<br>=C2=A0 =C2=A0!{= <br>=C2=A0 =C2=A0 =C2=A0 // not in the new acls<br>=C2=A0 =C2=A0 =C2=A0 !dy= namic-test-site1;<br>=C2=A0 =C2=A0 =C2=A0 !dynamic-test-site2;<br>=C2=A0 = =C2=A0 =C2=A0 any;<br>=C2=A0 =C2=A0};<br>=C2=A0 =C2=A0// but has the key<br= >=C2=A0 =C2=A0key TEST-key;<br>};<br></div></div></blockquote><div><br></di= v><div>For testing purposes, start with a simpler acl, like:<br></div><div>= <br></div><div>acl dynamic-TEST-tsig {<br></div><div>=C2=A0 =C2=A0key TEST-= key;<br>};<br></div><div><br></div><div>And see if that works.</div><div>= =C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0= .8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"l= tr"><div style=3D"box-sizing:border-box;font-family:"Segoe UI",sy= stem-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif= ;font-size:14px"><br>acl !dynamic-test-site1 {<br> <a href=3D"
http://192.16=
8.2.1/32" target=3D"_blank">192.168.2.1/32</a>; // HostA<br>};<br><br>acl != dynamic-test-site2 {<br> <a href=3D"
http://192.168.5.1/32" target=3D"_blank=
">192.168.5.1/32</a>; // HostB<br>};<br></div><div style=3D"box-sizing:bord= er-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji&q= uot;,"Segoe UI Emoji",sans-serif;font-size:14px"><pre lang=3D"con= f"><span id=3D"gmail-m_-160562985105215484gmail-m_1799513623007707470gmail-= m_-4701656668234550113gmail-m_2062855817749687786gmail-LC155" lang=3D"conf"= ></span></pre></div></div></blockquote><div><br></div><div>"acl !"=
; seems wrong to me.=C2=A0 Is that a legal syntax?=C2=A0 And if so, what do=
es it mean?</div><div><br></div><div>--=C2=A0</div><div>Bob Harold</div><di= v>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px=
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D= "ltr"><div style=3D"box-sizing:border-box;font-family:"Segoe UI",= system-ui,"Apple Color Emoji","Segoe UI Emoji",sans-ser= if;font-size:14px"><pre lang=3D"conf"></pre><pre lang=3D"conf">however thes=
e windows machines keep saying bad key, I know i'm missing something ob= vious but how do i get this to work?</pre><pre lang=3D"conf">happy to be ab=
le to give the key to the windows boxes if anyone knows but i'm drawing=
a blank</pre><pre lang=3D"conf">Regards</pre><pre lang=3D"conf">Cade</pre>= </div></div></blockquote><div>=C2=A0</div></div></div>
</blockquote></div>
</blockquote></div></div>
</blockquote></div>
--0000000000004bab1805a597173b--
--- Synchronet 3.18a-Linux NewsLink 1.113