bind9: client update denied

Question

I've a bind9.7.3 running on Debian squeeze. I've configured a zone to accept dynamic update using a key:

(I've replaced the key and the actual domain names ...)

key "yme" {
        algorithm hmac-md5;
        secret "topsecret";
};

zone "some-domain.de" in {
  type master;
  file "/etc/bind/zones/some-domain.de";
  allow-update {
    key yme;
  };
};

zone "some-other-domain.net" in {
  type master;
  file "/etc/bind/zones/some-other-domain.net";
  allow-update {
    key yme;
  };
};

Now, I send updates from a pfSense installation and I always get

22-Mar-2013 13:08:15.969 update-security: client 1.2.3.4#30949: update 'some-other-domain.net/IN' denied

The key is configured correctly on both sides, there is no clock skew between the both sides.

What else could be the problem, what might I have overlooked?

You need to use the key that rndc-confgen created. The key is located in /etc/rndc.key — midnightsteel, Apr 22 '13 at 00:58
@Braiam , I guess nsupdate is used to dynamic update which is mentioned in the question. — Nidal, Jun 13 '14 at 12:14
@Networker nsupdate is already part of bind, so I don't see how adding another tag will be useful. We don't need to create a new tag for each binary out there. I'm removing them. — Braiam, Jun 13 '14 at 12:38

score 2 · Answer 1 · answered Mar 22 '13 at 16:09

Having checked my own (working) configuration, the only thing I can think is whether the permissions on /etc/bind/zones/some-other-domain.net are correct. If you're running bind as a non-root user, you need to make sure that it has write permission on that file. It may also need write permission on /etc/bind/zones to write its journal file.

Failing that, you could try straceing the bind process to check if anything untoward is happening when the update is attempted.

I can confirm this from my side as well. Making /etc/bind group-writable solved this issue for me once before. — Joseph R., Aug 03 '13 at 18:58

bind9: client update denied

1 Answers1