Forum: War Ensemble BBS

TSIG DDNS and windows clients

From Pete Fry@cadel2010@googlemail.com to bind-users on Tue May 12 10:57:23 2020

From Newsgroup: comp.protocols.dns.bind

--00000000000025900805a5707e9e
Content-Type: text/plain; charset="UTF-8"

All

I've inherited a BIND environment and i'm trying to understand a few things
as currently we are experiences an issue related to DDNS.

we have

site 1
hostA

site 2
hostB

We have a HArecord, and we want HostA or HostB to be able to update the HArecord (i.e. failover cluster type configuration)

config:
Zone file:

zone "TEST" {
check-names ignore;
type master;
file "/var/named/dynamic/TEST";
allow-update {
auth-dns;
dynamic-TEST;
};
};

lists.conf

acl dynamic-update-ads {
192.168.2.1 // hostA
192.168.5.1 // hostB
dynamic-TEST-tsig;
};

acl dynamic-TEST-tsig {
// any host which is not..
!{
// not in the new acls
!dynamic-test-site1;
!dynamic-test-site2;
any;
};
// but has the key
key TEST-key;
};

acl !dynamic-test-site1 {
192.168.2.1/32; // HostA
};

acl !dynamic-test-site2 {
192.168.5.1/32; // HostB
};

however these windows machines keep saying bad key, I know i'm missing something obvious but how do i get this to work?

happy to be able to give the key to the windows boxes if anyone knows
but i'm drawing a blank

Regards

Cade

--00000000000025900805a5707e9e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">All<div><br></div><div>I've inherited a BIND environme= nt=C2=A0and i'm trying to understand a few things as currently we are e= xperiences an issue related to DDNS.</div><div><br></div><div>we have=C2=A0= </div><div><br></div><div>site 1</div><div><div style=3D"box-sizing:border-= box;font-family:"Segoe UI",system-ui,"Apple Color Emoji&quot= ;,"Segoe UI Emoji",sans-serif;font-size:14px">hostA</div><div sty= le=3D"box-sizing:border-box;font-family:"Segoe UI",system-ui,&quo= t;Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:1= 4px"><br></div><div style=3D"box-sizing:border-box;font-family:"Segoe = UI",system-ui,"Apple Color Emoji","Segoe UI Emoji"= ,sans-serif;font-size:14px">site 2</div><div style=3D"box-sizing:border-box= ;font-family:"Segoe UI",system-ui,"Apple Color Emoji",&= quot;Segoe UI Emoji",sans-serif;font-size:14px">hostB</div><div style= =3D"box-sizing:border-box;font-family:"Segoe UI",system-ui,"= Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14p= x"><br></div><div style=3D"box-sizing:border-box;font-family:"Segoe UI= ",system-ui,"Apple Color Emoji","Segoe UI Emoji",s= ans-serif;font-size:14px">We have a HArecord, and we want HostA or HostB to=
be able to update the HArecord=C2=A0(i.e. failover cluster type configurat= ion)</div></div><div style=3D"box-sizing:border-box;font-family:"Segoe=
UI",system-ui,"Apple Color Emoji","Segoe UI Emoji&quot= ;,sans-serif;font-size:14px"><br></div><div style=3D"box-sizing:border-box;= font-family:"Segoe UI",system-ui,"Apple Color Emoji",&q= uot;Segoe UI Emoji",sans-serif;font-size:14px">config:</div><div style= =3D"box-sizing:border-box;font-family:"Segoe UI",system-ui,"= Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14p= x">Zone file:</div><div style=3D"box-sizing:border-box;font-family:"Se= goe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji&q= uot;,sans-serif;font-size:14px"><br></div><div style=3D"box-sizing:border-b= ox;font-family:"Segoe UI",system-ui,"Apple Color Emoji"= ,"Segoe UI Emoji",sans-serif;font-size:14px">zone "TEST&quot=
; {<br>=C2=A0 =C2=A0 check-names ignore;<br>=C2=A0 =C2=A0 type master;<br>= =C2=A0 =C2=A0 file "/var/named/dynamic/TEST";<br>=C2=A0 =C2=A0 al= low-update {<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 auth-dns;<br>=C2=A0 =C2=A0 =C2=
=A0 =C2=A0 dynamic-TEST;<br>=C2=A0 =C2=A0 };<br>};<br></div><div style=3D"b= ox-sizing:border-box;font-family:"Segoe UI",system-ui,"Apple=
Color Emoji","Segoe UI Emoji",sans-serif;font-size:14px"><b= r></div><div style=3D"box-sizing:border-box;font-family:"Segoe UI&quot= ;,system-ui,"Apple Color Emoji","Segoe UI Emoji",sans-s= erif;font-size:14px">lists.conf</div><div style=3D"box-sizing:border-box;fo= nt-family:"Segoe UI",system-ui,"Apple Color Emoji",&quo= t;Segoe UI Emoji",sans-serif;font-size:14px"><br></div><div style=3D"b= ox-sizing:border-box;font-family:"Segoe UI",system-ui,"Apple=
Color Emoji","Segoe UI Emoji",sans-serif;font-size:14px">ac=
l dynamic-update-ads { <br>=C2=A0 =C2=A0192.168.2.1 // hostA<br>=C2=A0 =C2= =A0192.168.5.1 // hostB <br>=C2=A0 =C2=A0dynamic-TEST-tsig; <br>};<br></di=

<div style=3D"box-sizing:border-box;font-family:"Segoe UI",syst= em-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif;f= ont-size:14px"><br></div><div style=3D"box-sizing:border-box;font-family:&q= uot;Segoe UI",system-ui,"Apple Color Emoji","Segoe UI E= moji",sans-serif;font-size:14px">acl dynamic-TEST-tsig {<br>=C2=A0 =C2= =A0// any host which is not..<br>=C2=A0 =C2=A0!{<br>=C2=A0 =C2=A0 =C2=A0 //=

not in the new acls<br>=C2=A0 =C2=A0 =C2=A0 !dynamic-test-site1;<br>=C2=A0=
=C2=A0 =C2=A0 !dynamic-test-site2;<br>=C2=A0 =C2=A0 =C2=A0 any;<br>=C2=A0 = =C2=A0};<br>=C2=A0 =C2=A0// but has the key<br>=C2=A0 =C2=A0key TEST-key;<b= r>};<br><br><br>acl !dynamic-test-site1 {<br> <a href=3D"http://192.168.2.1= /32">192.168.2.1/32</a>; // HostA<br>};<br><br>acl !dynamic-test-site2 {<br=

<a href=3D"http://192.168.5.1/32">192.168.5.1/32</a>; // HostB<br>};<br><=

/div><div style=3D"box-sizing:border-box;font-family:"Segoe UI",s= ystem-ui,"Apple Color Emoji","Segoe UI Emoji",sans-seri= f;font-size:14px"><pre class=3D"gmail-code gmail-highlight" lang=3D"conf"><= span id=3D"gmail-LC155" class=3D"gmail-line" lang=3D"conf"></span>
</pre><pre class=3D"gmail-code gmail-highlight" lang=3D"conf">however these=
windows machines keep saying bad key, I know i'm missing something obv= ious but how do i get this to work?</pre><pre class=3D"gmail-code gmail-hig= hlight" lang=3D"conf">happy to be able to give the key to the windows boxes=
if anyone knows but i'm drawing a blank</pre><pre class=3D"gmail-code = gmail-highlight" lang=3D"conf">Regards</pre><pre class=3D"gmail-code gmail-= highlight" lang=3D"conf">Cade</pre></div></div>

--00000000000025900805a5707e9e--
--- Synchronet 3.18a-Linux NewsLink 1.113

From Bob Harold@rharolde@umich.edu to Pete Fry on Tue May 12 08:40:15 2020

From Newsgroup: comp.protocols.dns.bind

--0000000000008ff5c005a572c4ee
Content-Type: text/plain; charset="UTF-8"

On Tue, May 12, 2020 at 5:57 AM Pete Fry via bind-users < bind-users@lists.isc.org> wrote:

All

I've inherited a BIND environment and i'm trying to understand a few
things as currently we are experiences an issue related to DDNS.

we have

site 1
hostA

site 2
hostB

We have a HArecord, and we want HostA or HostB to be able to update the HArecord (i.e. failover cluster type configuration)

config:
Zone file:

zone "TEST" {
check-names ignore;
type master;
file "/var/named/dynamic/TEST";
allow-update {
auth-dns;
dynamic-TEST;
};
};

lists.conf

acl dynamic-update-ads {
192.168.2.1 // hostA
192.168.5.1 // hostB
dynamic-TEST-tsig;
};

acl dynamic-TEST-tsig {
// any host which is not..
!{
// not in the new acls
!dynamic-test-site1;
!dynamic-test-site2;
any;
};
// but has the key
key TEST-key;
};

For testing purposes, start with a simpler acl, like:

acl dynamic-TEST-tsig {
key TEST-key;
};

And see if that works.

acl !dynamic-test-site1 {
192.168.2.1/32; // HostA
};

acl !dynamic-test-site2 {
192.168.5.1/32; // HostB
};

"acl !" seems wrong to me. Is that a legal syntax? And if so, what does
it mean?

--
Bob Harold

however these windows machines keep saying bad key, I know i'm missing something obvious but how do i get this to work?

happy to be able to give the key to the windows boxes if anyone knows but i'm drawing a blank

Regards

Cade

--0000000000008ff5c005a572c4ee
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><br></div><div class=3D"gmail_quote"><div=
dir=3D"ltr" class=3D"gmail_attr">On Tue, May 12, 2020 at 5:57 AM Pete Fry = via bind-users <<a href=3D"mailto:bind-users@lists.isc.org">bind-users@l= ists.isc.org</a>> wrote:<br></div><blockquote class=3D"gmail_quote" styl= e=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);paddin= g-left:1ex"><div dir=3D"ltr">All<div><br></div><div>I've inherited a BI=
ND environment=C2=A0and i'm trying to understand a few things as curren= tly we are experiences an issue related to DDNS.</div><div><br></div><div>w=
e have=C2=A0</div><div><br></div><div>site 1</div><div><div style=3D"box-si= zing:border-box;font-family:"Segoe UI",system-ui,"Apple Colo=
r Emoji","Segoe UI Emoji",sans-serif;font-size:14px">hostA</= div><div style=3D"box-sizing:border-box;font-family:"Segoe UI",sy= stem-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif= ;font-size:14px"><br></div><div style=3D"box-sizing:border-box;font-family:= "Segoe UI",system-ui,"Apple Color Emoji","Segoe UI=
Emoji",sans-serif;font-size:14px">site 2</div><div style=3D"box-sizin= g:border-box;font-family:"Segoe UI",system-ui,"Apple Color E= moji","Segoe UI Emoji",sans-serif;font-size:14px">hostB</div= ><div style=3D"box-sizing:border-box;font-family:"Segoe UI",syste= m-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif;fo= nt-size:14px"><br></div><div style=3D"box-sizing:border-box;font-family:&qu= ot;Segoe UI",system-ui,"Apple Color Emoji","Segoe UI Em= oji",sans-serif;font-size:14px">We have a HArecord, and we want HostA =
or HostB to be able to update the HArecord=C2=A0(i.e. failover cluster type=
configuration)</div></div><div style=3D"box-sizing:border-box;font-family:= "Segoe UI",system-ui,"Apple Color Emoji","Segoe UI=
Emoji",sans-serif;font-size:14px"><br></div><div style=3D"box-sizing:= border-box;font-family:"Segoe UI",system-ui,"Apple Color Emo= ji","Segoe UI Emoji",sans-serif;font-size:14px">config:</div= ><div style=3D"box-sizing:border-box;font-family:"Segoe UI",syste= m-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif;fo= nt-size:14px">Zone file:</div><div style=3D"box-sizing:border-box;font-fami= ly:"Segoe UI",system-ui,"Apple Color Emoji","Segoe=
UI Emoji",sans-serif;font-size:14px"><br></div><div style=3D"box-sizi= ng:border-box;font-family:"Segoe UI",system-ui,"Apple Color = Emoji","Segoe UI Emoji",sans-serif;font-size:14px">zone &quo= t;TEST" {<br>=C2=A0 =C2=A0 check-names ignore;<br>=C2=A0 =C2=A0 type m= aster;<br>=C2=A0 =C2=A0 file "/var/named/dynamic/TEST";<br>=C2=A0=
=C2=A0 allow-update {<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 auth-dns;<br>=C2=A0 = =C2=A0 =C2=A0 =C2=A0 dynamic-TEST;<br>=C2=A0 =C2=A0 };<br>};<br></div><div = style=3D"box-sizing:border-box;font-family:"Segoe UI",system-ui,&= quot;Apple Color Emoji","Segoe UI Emoji",sans-serif;font-siz= e:14px"><br></div><div style=3D"box-sizing:border-box;font-family:"Seg=
oe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji&qu= ot;,sans-serif;font-size:14px">lists.conf</div><div style=3D"box-sizing:bor= der-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji&= quot;,"Segoe UI Emoji",sans-serif;font-size:14px"><br></div><div = style=3D"box-sizing:border-box;font-family:"Segoe UI",system-ui,&= quot;Apple Color Emoji","Segoe UI Emoji",sans-serif;font-siz= e:14px">acl dynamic-update-ads { <br>=C2=A0 =C2=A0192.168.2.1 // hostA<br>=
=C2=A0 =C2=A0192.168.5.1 // hostB <br>=C2=A0 =C2=A0dynamic-TEST-tsig; <br>=
};<br></div><div style=3D"box-sizing:border-box;font-family:"Segoe UI&= quot;,system-ui,"Apple Color Emoji","Segoe UI Emoji",sa= ns-serif;font-size:14px"><br></div><div style=3D"box-sizing:border-box;font= -family:"Segoe UI",system-ui,"Apple Color Emoji","= Segoe UI Emoji",sans-serif;font-size:14px">acl dynamic-TEST-tsig {<br>= =C2=A0 =C2=A0// any host which is not..<br>=C2=A0 =C2=A0!{<br>=C2=A0 =C2=A0=
=C2=A0 // not in the new acls<br>=C2=A0 =C2=A0 =C2=A0 !dynamic-test-site1;= <br>=C2=A0 =C2=A0 =C2=A0 !dynamic-test-site2;<br>=C2=A0 =C2=A0 =C2=A0 any;<= br>=C2=A0 =C2=A0};<br>=C2=A0 =C2=A0// but has the key<br>=C2=A0 =C2=A0key T= EST-key;<br>};<br></div></div></blockquote><div><br></div><div>For testing = purposes, start with a simpler acl, like:<br></div><div><br></div><div>acl = dynamic-TEST-tsig {<br></div><div>=C2=A0 =C2=A0key TEST-key;<br>};<br></div= ><div><br></div><div>And see if that works.</div><div>=C2=A0</div><blockquo=
te class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px = solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div style=3D"box= -sizing:border-box;font-family:"Segoe UI",system-ui,"Apple C= olor Emoji","Segoe UI Emoji",sans-serif;font-size:14px"><br>= acl !dynamic-test-site1 {<br> <a href=3D"http://192.168.2.1/32" target=3D"_= blank">192.168.2.1/32</a>; // HostA<br>};<br><br>acl !dynamic-test-site2 {<=

<a href=3D"http://192.168.5.1/32" target=3D"_blank">192.168.5.1/32</a>;=

// HostB<br>};<br></div><div style=3D"box-sizing:border-box;font-family:&q=
uot;Segoe UI",system-ui,"Apple Color Emoji","Segoe UI E= moji",sans-serif;font-size:14px"><pre lang=3D"conf"><span id=3D"gmail-= m_2062855817749687786gmail-LC155" lang=3D"conf"></span></pre></div></div></= blockquote><div><br></div><div>"acl !" seems wrong to me.=C2=A0 I=
s that a legal syntax?=C2=A0 And if so, what does it mean?</div><div><br></= div><div>--=C2=A0</div><div>Bob Harold</div><div>=C2=A0</div><blockquote cl= ass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid=
rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div style=3D"box-sizi= ng:border-box;font-family:"Segoe UI",system-ui,"Apple Color = Emoji","Segoe UI Emoji",sans-serif;font-size:14px"><pre lang= =3D"conf"></pre><pre lang=3D"conf">however these windows machines keep sayi=
ng bad key, I know i'm missing something obvious but how do i get this =
to work?</pre><pre lang=3D"conf">happy to be able to give the key to the wi= ndows boxes if anyone knows but i'm drawing a blank</pre><pre lang=3D"c= onf">Regards</pre><pre lang=3D"conf">Cade</pre></div></div></blockquote><di= v>=C2=A0</div></div></div>

--0000000000008ff5c005a572c4ee--
--- Synchronet 3.18a-Linux NewsLink 1.113

From Ben Croswell@ben.croswell@gmail.com to ML BIND Users on Tue May 12 08:50:39 2020

From Newsgroup: comp.protocols.dns.bind

--000000000000c9b39c05a572e96d
Content-Type: text/plain; charset="UTF-8"

Is it possible the clients are trying to do kerberos GSS-TSIG updates?

On Tue, May 12, 2020, 5:58 AM Pete Fry via bind-users < bind-users@lists.isc.org> wrote:

All

I've inherited a BIND environment and i'm trying to understand a few
things as currently we are experiences an issue related to DDNS.

we have

site 1
hostA

site 2
hostB

We have a HArecord, and we want HostA or HostB to be able to update the HArecord (i.e. failover cluster type configuration)

config:
Zone file:

zone "TEST" {
check-names ignore;
type master;
file "/var/named/dynamic/TEST";
allow-update {
auth-dns;
dynamic-TEST;
};
};

lists.conf

acl dynamic-update-ads {
192.168.2.1 // hostA
192.168.5.1 // hostB
dynamic-TEST-tsig;
};

acl dynamic-TEST-tsig {
// any host which is not..
!{
// not in the new acls
!dynamic-test-site1;
!dynamic-test-site2;
any;
};
// but has the key
key TEST-key;
};

acl !dynamic-test-site1 {
192.168.2.1/32; // HostA
};

acl !dynamic-test-site2 {
192.168.5.1/32; // HostB
};

however these windows machines keep saying bad key, I know i'm missing something obvious but how do i get this to work?

happy to be able to give the key to the windows boxes if anyone knows but i'm drawing a blank

Regards

Cade

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--000000000000c9b39c05a572e96d
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto">Is it possible the clients are trying to do kerberos=C2=
=A0 GSS-TSIG updates?</div><br><div class=3D"gmail_quote"><div dir=3D"ltr" = class=3D"gmail_attr">On Tue, May 12, 2020, 5:58 AM Pete Fry via bind-users = <<a href=3D"mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a= >> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0=
0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr">All<d= iv><br></div><div>I've inherited a BIND environment=C2=A0and i'm tr= ying to understand a few things as currently we are experiences an issue re= lated to DDNS.</div><div><br></div><div>we have=C2=A0</div><div><br></div><= div>site 1</div><div><div style=3D"box-sizing:border-box;font-family:"= Segoe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji= ",sans-serif;font-size:14px">hostA</div><div style=3D"box-sizing:borde= r-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji&qu= ot;,"Segoe UI Emoji",sans-serif;font-size:14px"><br></div><div st= yle=3D"box-sizing:border-box;font-family:"Segoe UI",system-ui,&qu= ot;Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:= 14px">site 2</div><div style=3D"box-sizing:border-box;font-family:"Seg=
oe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji&qu= ot;,sans-serif;font-size:14px">hostB</div><div style=3D"box-sizing:border-b= ox;font-family:"Segoe UI",system-ui,"Apple Color Emoji"= ,"Segoe UI Emoji",sans-serif;font-size:14px"><br></div><div style= =3D"box-sizing:border-box;font-family:"Segoe UI",system-ui,"= Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14p= x">We have a HArecord, and we want HostA or HostB to be able to update the = HArecord=C2=A0(i.e. failover cluster type configuration)</div></div><div st= yle=3D"box-sizing:border-box;font-family:"Segoe UI",system-ui,&qu= ot;Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:= 14px"><br></div><div style=3D"box-sizing:border-box;font-family:"Segoe=
UI",system-ui,"Apple Color Emoji","Segoe UI Emoji&quot= ;,sans-serif;font-size:14px">config:</div><div style=3D"box-sizing:border-b= ox;font-family:"Segoe UI",system-ui,"Apple Color Emoji"= ,"Segoe UI Emoji",sans-serif;font-size:14px">Zone file:</div><div=
style=3D"box-sizing:border-box;font-family:"Segoe UI",system-ui,= "Apple Color Emoji","Segoe UI Emoji",sans-serif;font-si= ze:14px"><br></div><div style=3D"box-sizing:border-box;font-family:"Se= goe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji&q= uot;,sans-serif;font-size:14px">zone "TEST" {<br>=C2=A0 =C2=A0 ch= eck-names ignore;<br>=C2=A0 =C2=A0 type master;<br>=C2=A0 =C2=A0 file &quot= ;/var/named/dynamic/TEST";<br>=C2=A0 =C2=A0 allow-update {<br>=C2=A0 = =C2=A0 =C2=A0 =C2=A0 auth-dns;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 dynamic-TEST;= <br>=C2=A0 =C2=A0 };<br>};<br></div><div style=3D"box-sizing:border-box;fon= t-family:"Segoe UI",system-ui,"Apple Color Emoji",&quot= ;Segoe UI Emoji",sans-serif;font-size:14px"><br></div><div style=3D"bo= x-sizing:border-box;font-family:"Segoe UI",system-ui,"Apple = Color Emoji","Segoe UI Emoji",sans-serif;font-size:14px">lis= ts.conf</div><div style=3D"box-sizing:border-box;font-family:"Segoe UI= ",system-ui,"Apple Color Emoji","Segoe UI Emoji",s= ans-serif;font-size:14px"><br></div><div style=3D"box-sizing:border-box;fon= t-family:"Segoe UI",system-ui,"Apple Color Emoji",&quot= ;Segoe UI Emoji",sans-serif;font-size:14px">acl dynamic-update-ads { <=

=C2=A0 =C2=A0192.168.2.1 // hostA<br>=C2=A0 =C2=A0192.168.5.1 // hostB =

<br>=C2=A0 =C2=A0dynamic-TEST-tsig; <br>};<br></div><div style=3D"box-sizin= g:border-box;font-family:"Segoe UI",system-ui,"Apple Color E= moji","Segoe UI Emoji",sans-serif;font-size:14px"><br></div>= <div style=3D"box-sizing:border-box;font-family:"Segoe UI",system= -ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif;fon= t-size:14px">acl dynamic-TEST-tsig {<br>=C2=A0 =C2=A0// any host which is n= ot..<br>=C2=A0 =C2=A0!{<br>=C2=A0 =C2=A0 =C2=A0 // not in the new acls<br>= =C2=A0 =C2=A0 =C2=A0 !dynamic-test-site1;<br>=C2=A0 =C2=A0 =C2=A0 !dynamic-= test-site2;<br>=C2=A0 =C2=A0 =C2=A0 any;<br>=C2=A0 =C2=A0};<br>=C2=A0 =C2= =A0// but has the key<br>=C2=A0 =C2=A0key TEST-key;<br>};<br><br><br>acl !d= ynamic-test-site1 {<br> <a href=3D"http://192.168.2.1/32" target=3D"_blank"=
rel=3D"noreferrer">192.168.2.1/32</a>; // HostA<br>};<br><br>acl !dynamic-= test-site2 {<br> <a href=3D"http://192.168.5.1/32" target=3D"_blank" rel=3D=
"noreferrer">192.168.5.1/32</a>; // HostB<br>};<br></div><div style=3D"box-=
sizing:border-box;font-family:"Segoe UI",system-ui,"Apple Co= lor Emoji","Segoe UI Emoji",sans-serif;font-size:14px"><pre = lang=3D"conf"><span id=3D"m_8229299973494285591gmail-LC155" lang=3D"conf"><= /span>
</pre><pre lang=3D"conf">however these windows machines keep saying bad key=
, I know i'm missing something obvious but how do i get this to work?</= pre><pre lang=3D"conf">happy to be able to give the key to the windows boxe=
s if anyone knows but i'm drawing a blank</pre><pre lang=3D"conf">Regar= ds</pre><pre lang=3D"conf">Cade</pre></div></div> _______________________________________________<br>
Please visit <a href=3D"https://lists.isc.org/mailman/listinfo/bind-users" = rel=3D"noreferrer noreferrer" target=3D"_blank">https://lists.isc.org/mailm= an/listinfo/bind-users</a> to unsubscribe from this list<br>

bind-users mailing list<br>
<a href=3D"mailto:bind-users@lists.isc.org" target=3D"_blank" rel=3D"norefe= rrer">bind-users@lists.isc.org</a><br>
<a href=3D"https://lists.isc.org/mailman/listinfo/bind-users" rel=3D"norefe= rrer noreferrer" target=3D"_blank">https://lists.isc.org/mailman/listinfo/b= ind-users</a><br>
</blockquote></div>

--000000000000c9b39c05a572e96d--
--- Synchronet 3.18a-Linux NewsLink 1.113

From Pete Fry@cadel2010@googlemail.com to Bob Harold on Wed May 13 08:20:08 2020

From Newsgroup: comp.protocols.dns.bind

--000000000000950daf05a5826922
Content-Type: text/plain; charset="UTF-8"

Bob
thanks for the reply and the correction ( the acl dones't have a ! it was a
cut and paste error when i was trying to remove some information.

the TSIG works when from other linux machine via nsupdate etc, however i'm trying to figure out how to get the windows machines to do the same and was trying to follow this

http://serverfault.com/questions/376578/bind9-combining-key-and-acl-for- allow-update

Regards

Pete

On Tue, 12 May 2020 at 13:40, Bob Harold <rharolde@umich.edu> wrote:

On Tue, May 12, 2020 at 5:57 AM Pete Fry via bind-users < bind-users@lists.isc.org> wrote:

All

I've inherited a BIND environment and i'm trying to understand a few
things as currently we are experiences an issue related to DDNS.

we have

site 1
hostA

site 2
hostB

We have a HArecord, and we want HostA or HostB to be able to update the
HArecord (i.e. failover cluster type configuration)

config:
Zone file:

zone "TEST" {
check-names ignore;
type master;
file "/var/named/dynamic/TEST";
allow-update {
auth-dns;
dynamic-TEST;
};
};

lists.conf

acl dynamic-update-ads {
192.168.2.1 // hostA
192.168.5.1 // hostB
dynamic-TEST-tsig;
};

acl dynamic-TEST-tsig {
// any host which is not..
!{
// not in the new acls
!dynamic-test-site1;
!dynamic-test-site2;
any;
};
// but has the key
key TEST-key;
};

For testing purposes, start with a simpler acl, like:

acl dynamic-TEST-tsig {
key TEST-key;
};

And see if that works.

acl !dynamic-test-site1 {
192.168.2.1/32; // HostA
};

acl !dynamic-test-site2 {
192.168.5.1/32; // HostB
};

"acl !" seems wrong to me. Is that a legal syntax? And if so, what does
it mean?

--
Bob Harold

however these windows machines keep saying bad key, I know i'm missing something obvious but how do i get this to work?

happy to be able to give the key to the windows boxes if anyone knows but i'm drawing a blank

Regards

Cade

--000000000000950daf05a5826922
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Bob<div>thanks for the reply and the correction ( the acl = dones't=C2=A0have a ! it was a cut and paste error when i was trying to=
remove some information.</div><div><br></div><div>the TSIG works when from=
other linux machine via nsupdate etc, however i'm trying to figure out=
how to get the windows machines to do the same and was trying to follow th= is</div><div><br></div><div><code><span class=3D"gmail-n">http</span>://<sp=
an class=3D"gmail-n">serverfault</span>.<span class=3D"gmail-n">com</span>/= <span class=3D"gmail-n">questions</span>/<span class=3D"gmail-m">376578</sp= an>/<span class=3D"gmail-n">bind9</span>-<span class=3D"gmail-n">combining<= /span>-<span class=3D"gmail-n">key</span>-<span class=3D"gmail-n">and</span= >-<span class=3D"gmail-n">acl</span>-<span class=3D"gmail-n">for</span>-<sp=
an class=3D"gmail-n">allow</span>-<span class=3D"gmail-n">update</span></co= de>=C2=A0</div><div><br></div><div>Regards</div><div><br></div><div>Pete=C2= =A0<br></div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D= "gmail_attr">On Tue, 12 May 2020 at 13:40, Bob Harold <<a href=3D"mailto= :rharolde@umich.edu">rharolde@umich.edu</a>> wrote:<br></div><blockquote=
class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px so= lid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr"><b= r></div><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On=
Tue, May 12, 2020 at 5:57 AM Pete Fry via bind-users <<a href=3D"mailto= :bind-users@lists.isc.org" target=3D"_blank">bind-users@lists.isc.org</a>&g=
t; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0p=
x 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div d= ir=3D"ltr">All<div><br></div><div>I've inherited a BIND environment=C2= =A0and i'm trying to understand a few things as currently we are experi= ences an issue related to DDNS.</div><div><br></div><div>we have=C2=A0</div= ><div><br></div><div>site 1</div><div><div style=3D"box-sizing:border-box;f= ont-family:"Segoe UI",system-ui,"Apple Color Emoji",&qu= ot;Segoe UI Emoji",sans-serif;font-size:14px">hostA</div><div style=3D= "box-sizing:border-box;font-family:"Segoe UI",system-ui,"App=
le Color Emoji","Segoe UI Emoji",sans-serif;font-size:14px">= <br></div><div style=3D"box-sizing:border-box;font-family:"Segoe UI&qu= ot;,system-ui,"Apple Color Emoji","Segoe UI Emoji",sans= -serif;font-size:14px">site 2</div><div style=3D"box-sizing:border-box;font= -family:"Segoe UI",system-ui,"Apple Color Emoji","= Segoe UI Emoji",sans-serif;font-size:14px">hostB</div><div style=3D"bo= x-sizing:border-box;font-family:"Segoe UI",system-ui,"Apple = Color Emoji","Segoe UI Emoji",sans-serif;font-size:14px"><br= ></div><div style=3D"box-sizing:border-box;font-family:"Segoe UI"= ,system-ui,"Apple Color Emoji","Segoe UI Emoji",sans-se= rif;font-size:14px">We have a HArecord, and we want HostA or HostB to be ab=
le to update the HArecord=C2=A0(i.e. failover cluster type configuration)</= div></div><div style=3D"box-sizing:border-box;font-family:"Segoe UI&qu= ot;,system-ui,"Apple Color Emoji","Segoe UI Emoji",sans= -serif;font-size:14px"><br></div><div style=3D"box-sizing:border-box;font-f= amily:"Segoe UI",system-ui,"Apple Color Emoji","Se= goe UI Emoji",sans-serif;font-size:14px">config:</div><div style=3D"bo= x-sizing:border-box;font-family:"Segoe UI",system-ui,"Apple = Color Emoji","Segoe UI Emoji",sans-serif;font-size:14px">Zon=
e file:</div><div style=3D"box-sizing:border-box;font-family:"Segoe UI= ",system-ui,"Apple Color Emoji","Segoe UI Emoji",s= ans-serif;font-size:14px"><br></div><div style=3D"box-sizing:border-box;fon= t-family:"Segoe UI",system-ui,"Apple Color Emoji",&quot= ;Segoe UI Emoji",sans-serif;font-size:14px">zone "TEST" {<br= >=C2=A0 =C2=A0 check-names ignore;<br>=C2=A0 =C2=A0 type master;<br>=C2=A0 = =C2=A0 file "/var/named/dynamic/TEST";<br>=C2=A0 =C2=A0 allow-upd= ate {<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 auth-dns;<br>=C2=A0 =C2=A0 =C2=A0 =C2=
=A0 dynamic-TEST;<br>=C2=A0 =C2=A0 };<br>};<br></div><div style=3D"box-sizi= ng:border-box;font-family:"Segoe UI",system-ui,"Apple Color = Emoji","Segoe UI Emoji",sans-serif;font-size:14px"><br></div= ><div style=3D"box-sizing:border-box;font-family:"Segoe UI",syste= m-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif;fo= nt-size:14px">lists.conf</div><div style=3D"box-sizing:border-box;font-fami= ly:"Segoe UI",system-ui,"Apple Color Emoji","Segoe=
UI Emoji",sans-serif;font-size:14px"><br></div><div style=3D"box-sizi= ng:border-box;font-family:"Segoe UI",system-ui,"Apple Color = Emoji","Segoe UI Emoji",sans-serif;font-size:14px">acl dynam= ic-update-ads { <br>=C2=A0 =C2=A0192.168.2.1 // hostA<br>=C2=A0 =C2=A0192.1= 68.5.1 // hostB <br>=C2=A0 =C2=A0dynamic-TEST-tsig; <br>};<br></div><div s=
tyle=3D"box-sizing:border-box;font-family:"Segoe UI",system-ui,&q= uot;Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size= :14px"><br></div><div style=3D"box-sizing:border-box;font-family:"Sego=
e UI",system-ui,"Apple Color Emoji","Segoe UI Emoji&quo= t;,sans-serif;font-size:14px">acl dynamic-TEST-tsig {<br>=C2=A0 =C2=A0// an=
y host which is not..<br>=C2=A0 =C2=A0!{<br>=C2=A0 =C2=A0 =C2=A0 // not in = the new acls<br>=C2=A0 =C2=A0 =C2=A0 !dynamic-test-site1;<br>=C2=A0 =C2=A0 = =C2=A0 !dynamic-test-site2;<br>=C2=A0 =C2=A0 =C2=A0 any;<br>=C2=A0 =C2=A0};= <br>=C2=A0 =C2=A0// but has the key<br>=C2=A0 =C2=A0key TEST-key;<br>};<br>= </div></div></blockquote><div><br></div><div>For testing purposes, start wi=
th a simpler acl, like:<br></div><div><br></div><div>acl dynamic-TEST-tsig = {<br></div><div>=C2=A0 =C2=A0key TEST-key;<br>};<br></div><div><br></div><d= iv>And see if that works.</div><div>=C2=A0</div><blockquote class=3D"gmail_= quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,= 204);padding-left:1ex"><div dir=3D"ltr"><div style=3D"box-sizing:border-box= ;font-family:"Segoe UI",system-ui,"Apple Color Emoji",&= quot;Segoe UI Emoji",sans-serif;font-size:14px"><br>acl !dynamic-test-= site1 {<br> <a href=3D"http://192.168.2.1/32" target=3D"_blank">192.168.2.1=
/32</a>; // HostA<br>};<br><br>acl !dynamic-test-site2 {<br> <a href=3D"htt=
p://192.168.5.1/32" target=3D"_blank">192.168.5.1/32</a>; // HostB<br>};<br=

</div><div style=3D"box-sizing:border-box;font-family:"Segoe UI"= ,system-ui,"Apple Color Emoji","Segoe UI Emoji",sans-se= rif;font-size:14px"><pre lang=3D"conf"><span id=3D"gmail-m_-470165666823455= 0113gmail-m_2062855817749687786gmail-LC155" lang=3D"conf"></span></pre></di= v></div></blockquote><div><br></div><div>"acl !" seems wrong to m= e.=C2=A0 Is that a legal syntax?=C2=A0 And if so, what does it mean?</div><= div><br></div><div>--=C2=A0</div><div>Bob Harold</div><div>=C2=A0</div><blo= ckquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left= :1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div style= =3D"box-sizing:border-box;font-family:"Segoe UI",system-ui,"= Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14p= x"><pre lang=3D"conf"></pre><pre lang=3D"conf">however these windows machin=

es keep saying bad key, I know i'm missing something obvious but how do=
i get this to work?</pre><pre lang=3D"conf">happy to be able to give the k=
ey to the windows boxes if anyone knows but i'm drawing a blank</pre><p=
re lang=3D"conf">Regards</pre><pre lang=3D"conf">Cade</pre></div></div></bl= ockquote><div>=C2=A0</div></div></div>
</blockquote></div>

--000000000000950daf05a5826922--
--- Synchronet 3.18a-Linux NewsLink 1.113

From Bob Harold@rharolde@umich.edu to Pete Fry on Wed May 13 08:29:54 2020

From Newsgroup: comp.protocols.dns.bind

--0000000000007985bc05a586bdf6
Content-Type: text/plain; charset="UTF-8"

On Wed, May 13, 2020 at 3:20 AM Pete Fry <cadel2010@googlemail.com> wrote:

Bob
thanks for the reply and the correction ( the acl dones't have a ! it was
a cut and paste error when i was trying to remove some information.

the TSIG works when from other linux machine via nsupdate etc, however i'm trying to figure out how to get the windows machines to do the same and was trying to follow this

http://serverfault.com/questions/376578/bind9-combining-key-and-acl-for- allow-update

Regards

Pete

Your ACL looks right. I think Ben has the key - Windows uses GSS-TSIG, not regular TSIG. Not sure how or if that can be solved.

--
Bob Harold

On Tue, 12 May 2020 at 13:40, Bob Harold <rharolde@umich.edu> wrote:

On Tue, May 12, 2020 at 5:57 AM Pete Fry via bind-users <
bind-users@lists.isc.org> wrote:

All

I've inherited a BIND environment and i'm trying to understand a few
things as currently we are experiences an issue related to DDNS.

we have

site 1
hostA

site 2
hostB

We have a HArecord, and we want HostA or HostB to be able to update the
HArecord (i.e. failover cluster type configuration)

config:
Zone file:

zone "TEST" {
check-names ignore;
type master;
file "/var/named/dynamic/TEST";
allow-update {
auth-dns;
dynamic-TEST;
};
};

lists.conf

acl dynamic-update-ads {
192.168.2.1 // hostA
192.168.5.1 // hostB
dynamic-TEST-tsig;
};

acl dynamic-TEST-tsig {
// any host which is not..
!{
// not in the new acls
!dynamic-test-site1;
!dynamic-test-site2;
any;
};
// but has the key
key TEST-key;
};

For testing purposes, start with a simpler acl, like:

acl dynamic-TEST-tsig {
key TEST-key;
};

And see if that works.

acl !dynamic-test-site1 {
192.168.2.1/32; // HostA
};

acl !dynamic-test-site2 {
192.168.5.1/32; // HostB
};

"acl !" seems wrong to me. Is that a legal syntax? And if so, what does
it mean?

--
Bob Harold

however these windows machines keep saying bad key, I know i'm missing something obvious but how do i get this to work?

happy to be able to give the key to the windows boxes if anyone knows but i'm drawing a blank

Regards

Cade

--0000000000007985bc05a586bdf6
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><br></div><div class=3D"gmail_quote"><div=
dir=3D"ltr" class=3D"gmail_attr">On Wed, May 13, 2020 at 3:20 AM Pete Fry = <<a href=3D"mailto:cadel2010@googlemail.com">cadel2010@googlemail.com</a= >> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px=
0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><di=
v dir=3D"ltr">Bob<div>thanks for the reply and the correction ( the acl don= es't=C2=A0have a ! it was a cut and paste error when i was trying to re= move some information.</div><div><br></div><div>the TSIG works when from ot= her linux machine via nsupdate etc, however i'm trying to figure out ho=
w to get the windows machines to do the same and was trying to follow this<= /div><div><br></div><div><code><span>http</span>://<span>serverfault</span>= .<span>com</span>/<span>questions</span>/<span>376578</span>/<span>bind9</s= pan>-<span>combining</span>-<span>key</span>-<span>and</span>-<span>acl</sp= an>-<span>for</span>-<span>allow</span>-<span>update</span></code>=C2=A0</d= iv><div><br></div><div>Regards</div><div><br></div><div>Pete=C2=A0</div></d= iv></blockquote><div><br></div><div><br></div><div>Your ACL looks right.=C2= =A0 I think Ben has the key - Windows uses GSS-TSIG, not regular TSIG.=C2=
=A0 Not sure how or if that can be solved.</div><div><br></div><div>--=C2= =A0</div><div>Bob Harold</div><div><br></div><div>=C2=A0</div><blockquote c= lass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px soli=
d rgb(204,204,204);padding-left:1ex"><div class=3D"gmail_quote"><div dir=3D= "ltr" class=3D"gmail_attr">On Tue, 12 May 2020 at 13:40, Bob Harold <<a = href=3D"mailto:rharolde@umich.edu" target=3D"_blank">rharolde@umich.edu</a>= > wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px = 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div=
dir=3D"ltr"><div dir=3D"ltr"><br></div><div class=3D"gmail_quote"><div dir= =3D"ltr" class=3D"gmail_attr">On Tue, May 12, 2020 at 5:57 AM Pete Fry via = bind-users <<a href=3D"mailto:bind-users@lists.isc.org" target=3D"_blank= ">bind-users@lists.isc.org</a>> wrote:<br></div><blockquote class=3D"gma= il_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,2= 04,204);padding-left:1ex"><div dir=3D"ltr">All<div><br></div><div>I've = inherited a BIND environment=C2=A0and i'm trying to understand a few th= ings as currently we are experiences an issue related to DDNS.</div><div><b= r></div><div>we have=C2=A0</div><div><br></div><div>site 1</div><div><div s= tyle=3D"box-sizing:border-box;font-family:"Segoe UI",system-ui,&q= uot;Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size= :14px">hostA</div><div style=3D"box-sizing:border-box;font-family:"Seg=
oe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji&qu= ot;,sans-serif;font-size:14px"><br></div><div style=3D"box-sizing:border-bo= x;font-family:"Segoe UI",system-ui,"Apple Color Emoji",= "Segoe UI Emoji",sans-serif;font-size:14px">site 2</div><div styl= e=3D"box-sizing:border-box;font-family:"Segoe UI",system-ui,&quot= ;Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14= px">hostB</div><div style=3D"box-sizing:border-box;font-family:"Segoe = UI",system-ui,"Apple Color Emoji","Segoe UI Emoji"= ,sans-serif;font-size:14px"><br></div><div style=3D"box-sizing:border-box;f= ont-family:"Segoe UI",system-ui,"Apple Color Emoji",&qu= ot;Segoe UI Emoji",sans-serif;font-size:14px">We have a HArecord, and =
we want HostA or HostB to be able to update the HArecord=C2=A0(i.e. failove=
r cluster type configuration)</div></div><div style=3D"box-sizing:border-bo= x;font-family:"Segoe UI",system-ui,"Apple Color Emoji",= "Segoe UI Emoji",sans-serif;font-size:14px"><br></div><div style= =3D"box-sizing:border-box;font-family:"Segoe UI",system-ui,"= Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14p= x">config:</div><div style=3D"box-sizing:border-box;font-family:"Segoe=
UI",system-ui,"Apple Color Emoji","Segoe UI Emoji&quot= ;,sans-serif;font-size:14px">Zone file:</div><div style=3D"box-sizing:borde= r-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji&qu= ot;,"Segoe UI Emoji",sans-serif;font-size:14px"><br></div><div st= yle=3D"box-sizing:border-box;font-family:"Segoe UI",system-ui,&qu= ot;Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:= 14px">zone "TEST" {<br>=C2=A0 =C2=A0 check-names ignore;<br>=C2=
=A0 =C2=A0 type master;<br>=C2=A0 =C2=A0 file "/var/named/dynamic/TEST= ";<br>=C2=A0 =C2=A0 allow-update {<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 auth= -dns;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 dynamic-TEST;<br>=C2=A0 =C2=A0 };<br>}= ;<br></div><div style=3D"box-sizing:border-box;font-family:"Segoe UI&q= uot;,system-ui,"Apple Color Emoji","Segoe UI Emoji",san= s-serif;font-size:14px"><br></div><div style=3D"box-sizing:border-box;font-= family:"Segoe UI",system-ui,"Apple Color Emoji","S= egoe UI Emoji",sans-serif;font-size:14px">lists.conf</div><div style= =3D"box-sizing:border-box;font-family:"Segoe UI",system-ui,"= Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14p= x"><br></div><div style=3D"box-sizing:border-box;font-family:"Segoe UI= ",system-ui,"Apple Color Emoji","Segoe UI Emoji",s= ans-serif;font-size:14px">acl dynamic-update-ads { <br>=C2=A0 =C2=A0192.168=
.2.1 // hostA<br>=C2=A0 =C2=A0192.168.5.1 // hostB <br>=C2=A0 =C2=A0dynami=
c-TEST-tsig; <br>};<br></div><div style=3D"box-sizing:border-box;font-famil= y:"Segoe UI",system-ui,"Apple Color Emoji","Segoe =
UI Emoji",sans-serif;font-size:14px"><br></div><div style=3D"box-sizin= g:border-box;font-family:"Segoe UI",system-ui,"Apple Color E= moji","Segoe UI Emoji",sans-serif;font-size:14px">acl dynami= c-TEST-tsig {<br>=C2=A0 =C2=A0// any host which is not..<br>=C2=A0 =C2=A0!{= <br>=C2=A0 =C2=A0 =C2=A0 // not in the new acls<br>=C2=A0 =C2=A0 =C2=A0 !dy= namic-test-site1;<br>=C2=A0 =C2=A0 =C2=A0 !dynamic-test-site2;<br>=C2=A0 = =C2=A0 =C2=A0 any;<br>=C2=A0 =C2=A0};<br>=C2=A0 =C2=A0// but has the key<br= >=C2=A0 =C2=A0key TEST-key;<br>};<br></div></div></blockquote><div><br></di= v><div>For testing purposes, start with a simpler acl, like:<br></div><div>= <br></div><div>acl dynamic-TEST-tsig {<br></div><div>=C2=A0 =C2=A0key TEST-= key;<br>};<br></div><div><br></div><div>And see if that works.</div><div>= =C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0= .8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"l= tr"><div style=3D"box-sizing:border-box;font-family:"Segoe UI",sy= stem-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif= ;font-size:14px"><br>acl !dynamic-test-site1 {<br> <a href=3D"http://192.16=
8.2.1/32" target=3D"_blank">192.168.2.1/32</a>; // HostA<br>};<br><br>acl != dynamic-test-site2 {<br> <a href=3D"http://192.168.5.1/32" target=3D"_blank=
">192.168.5.1/32</a>; // HostB<br>};<br></div><div style=3D"box-sizing:bord= er-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji&q= uot;,"Segoe UI Emoji",sans-serif;font-size:14px"><pre lang=3D"con= f"><span id=3D"gmail-m_1799513623007707470gmail-m_-4701656668234550113gmail= -m_2062855817749687786gmail-LC155" lang=3D"conf"></span></pre></div></div><= /blockquote><div><br></div><div>"acl !" seems wrong to me.=C2=A0 =
Is that a legal syntax?=C2=A0 And if so, what does it mean?</div><div><br><= /div><div>--=C2=A0</div><div>Bob Harold</div><div>=C2=A0</div><blockquote c= lass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px soli=
d rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div style=3D"box-siz= ing:border-box;font-family:"Segoe UI",system-ui,"Apple Color=
Emoji","Segoe UI Emoji",sans-serif;font-size:14px"><pre lan= g=3D"conf"></pre><pre lang=3D"conf">however these windows machines keep say= ing bad key, I know i'm missing something obvious but how do i get this=
to work?</pre><pre lang=3D"conf">happy to be able to give the key to the w= indows boxes if anyone knows but i'm drawing a blank</pre><pre lang=3D"= conf">Regards</pre><pre lang=3D"conf">Cade</pre></div></div></blockquote><d= iv>=C2=A0</div></div></div>
</blockquote></div>
</blockquote></div></div>

--0000000000007985bc05a586bdf6--
--- Synchronet 3.18a-Linux NewsLink 1.113

From Grant Taylor@gtaylor@tnetconsulting.net to bind-users on Wed May 13 13:49:36 2020

From Newsgroup: comp.protocols.dns.bind

This is a cryptographically signed message in MIME format.

--------------ms040909050407040108060207
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 5/13/20 6:29 AM, Bob Harold wrote:

Your ACL looks right.=C2=A0 I think Ben has the key - Windows uses GSS-=

TSIG,=20

not regular TSIG.=C2=A0 Not sure how or if that can be solved.

I would bet someone a coffee and doughnut that it can.

Check out Jan-Piet Mens' article:

Link - RFC 2136 Dynamic DNS Updates using GSS-TSIG and Kerberos
-=20 https://jpmens.net/2012/06/29/dynamic-dns-updates-using-gss-tsig-and-kerb= eros/

--=20
Grant. . . .
unix || die

--------------ms040909050407040108060207
Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CzkwggUhMIIECaADAgECAhA53zcXtFD9dENby64EqrKqMA0GCSqGSIb3DQEBCwUAMIGWMQsw CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxm b3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENs aWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE5MTExOTAwMDAw MFoXDTIwMTExODIzNTk1OVowKzEpMCcGCSqGSIb3DQEJARYaZ3RheWxvckB0bmV0Y29uc3Vs dGluZy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwIZcEJcuE7mUfxJnD I8oOSX/TvAhoP11agD++8L7Ok8fFJhJK0lOVRsq1M6lF2E2Vzuyffg2ppbecWvHcIRadsaiG imnrJQasdkhj/JUtqPUXnC0SVA0AzYLrLReQB+9j/jTgB5JnFLyC2lEn9KTA6JmDGjvVkv2T k+I2+v24nI4/2lGjD+jIKQiFXkE1uqablXJAw1c9Mh9d4/wjnIM9zLGv1i3xxOLdQ1PXSUZL 12wOy1r7CsGAnNSNhGaceB2tdhdleFEyIHgSgDWtWResHdu/ubZqFiHxaLRJlafOHMj3yC6x NOA1IdcNJsaRkQHxSkayKzeE5JK3TxlV83dbAgMBAAGjggHTMIIBzzAfBgNVHSMEGDAWgBQJ wPL8C9qU21/+K9+omULPyeCtADAdBgNVHQ4EFgQUU6bXebmKM+efFHN0MBjYuJO9Za8wDgYD VR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUF BwMCMEAGA1UdIAQ5MDcwNQYMKwYBBAGyMQECAQEBMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8v c2VjdGlnby5jb20vQ1BTMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwuc2VjdGlnby5j b20vU2VjdGlnb1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcmww gYoGCCsGAQUFBwEBBH4wfDBVBggrBgEFBQcwAoZJaHR0cDovL2NydC5zZWN0aWdvLmNvbS9T ZWN0aWdvUlNBQ2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAjBggr BgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wJQYDVR0RBB4wHIEaZ3RheWxvckB0 bmV0Y29uc3VsdGluZy5uZXQwDQYJKoZIhvcNAQELBQADggEBADOWdJFXVQvdVPUy4ChriEyS 3wiEdWmLb3CGko4ps7uXgHoCk0V9oU38LjKTrcm/KOhLhBh2Wz3LxirbtgTP+YxpgkPxDEWO ee/o/TiLhVrTLiqZJIwjlZmY1lTmHuoXWQK3M0MJZYVrGgMJgQg0/+mZkRlEa67N4WETh7MH rKglv3HHy3LeU835KA8cpMxRbDvPiA8wdKHWgrl4LXOJKtI8rgmMJxUOCQdgI6DSEo/yYve0 /TxLLBlWAhve7e+/aYjKn3V5CpNOmqkRi7V2d6ZJ+RMQrJDtqitQAkzq8cH+CSTGagHzAxQp e00hH+aVwNioyaoNBezCCLirOjVdlFIwggYQMIID+KADAgECAhBNlCwQ1DvglAnFgS06KwZP MA0GCSqGSIb3DQEBDAUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEU MBIGA1UEBxMLSmVyc2V5IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEu MCwGA1UEAxMlVVNFUlRydXN0IFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xODEx MDIwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExp bWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQg U2VjdXJlIEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyjztlApB /975Rrno1jvm2pK/KxBOqhq8gr2+JhwpKirSzZxQgT9tlC7zl6hn1fXjSo5MqXUfItMltrMa XqcESJuK8dtK56NCSrq4iDKaKq9NxOXFmqXX2zN8HHGjQ2b2Xv0v1L5Nk1MQPKA19xeWQcpG EGFUUd0kN+oHox+L9aV1rjfNiCj3bJk6kJaOPabPi2503nn/ITX5e8WfPnGw4VuZ79Khj1YB rf24k5Ee1sLTHsLtpiK9OjG4iQRBdq6Z/TlVx/hGAez5h36bBJMxqdHLpdwIUkTqT8se3ed0 PewDch/8kHPo5fZl5u1B0ecpq/sDN/5sCG52Ds+QU5O5EwIDAQABo4IBZDCCAWAwHwYDVR0j BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFAnA8vwL2pTbX/4r36iZQs/J 4K0AMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdJQQWMBQGCCsG AQUFBwMCBggrBgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAwUAYDVR0fBEkwRzBFoEOgQYY/ aHR0cDovL2NybC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdFJTQUNlcnRpZmljYXRpb25BdXRo b3JpdHkuY3JsMHYGCCsGAQUFBwEBBGowaDA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2Vy dHJ1c3QuY29tL1VTRVJUcnVzdFJTQUFkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRw Oi8vb2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQBBRHUAqznCFfXejpVt MnFojADdF9d6HBA4kMjjsb0XMZHztuOCtKF+xswhh2GqkW5JQrM8zVlU+A2VP72Ky2nlRA1G wmIPgou74TZ/XTarHG8zdMSgaDrkVYzz1g3nIVO9IHk96VwsacIvBF8JfqIs+8aWH2PfSUrN xP6Ys7U0sZYx4rXD6+cqFq/ZW5BUfClN/rhk2ddQXyn7kkmka2RQb9d90nmNHdgKrwfQ49mQ 2hWQNDkJJIXwKjYA6VUR/fZUFeCUisdDe/0ABLTI+jheXUV1eoYV7lNwNBKpeHdNuO6Aacb5 33JlfeUHxvBz9OfYWUiXu09sMAviM11Q0DuMZ5760CdO2VnpsXP4KxaYIhvqPqUMWqRdWyn7 crItNkZeroXaecG03i3mM7dkiPaCkgocBg0EBYsbZDZ8bsG3a08LwEsL1Ygz3SBsyECa0waq 4hOf/Z85F2w2ZpXfP+w8q4ifwO90SGZZV+HR/Jh6rEaVPDRF/CEGVqR1hiuQOZ1YL5ezMTX0 ZSLwrymUE0pwi/KDaiYB15uswgeIAcA6JzPFf9pLkAFFWs1QNyN++niFhsM47qodx/PL+5jR 87myx5uYdBEQkkDc+lKB1Wct6ucXqm2EmsaQ0M95QjTmy+rDWjkDYdw3Ms6mSWE3Bn7i5Zgt wCLXgAIe5W8mybM2JzGCBDIwggQuAgEBMIGrMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMS R3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdv IExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBh bmQgU2VjdXJlIEVtYWlsIENBAhA53zcXtFD9dENby64EqrKqMA0GCWCGSAFlAwQCAQUAoIIC VzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMDA1MTMxOTQ5 MzZaMC8GCSqGSIb3DQEJBDEiBCBCS1NvBxL22yOJbWtCMSh4Y6bC5rSBC5t9BxUHUkBbVDBs BgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcw DgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEo MIG8BgkrBgEEAYI3EAQxga4wgaswgZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVy IE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRl ZDE+MDwGA1UEAxM1U2VjdGlnbyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1 cmUgRW1haWwgQ0ECEDnfNxe0UP10Q1vLrgSqsqowgb4GCyqGSIb3DQEJEAILMYGuoIGrMIGW MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdT YWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNB IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhA53zcXtFD9dENb y64EqrKqMA0GCSqGSIb3DQEBAQUABIIBAA91/mXugly2SFw6qwyBgBiriyQt706dwt4vXA0s EZHAyj5uBCLbQwUmUf1IXh+lLFG/pK5nYlnW1qeYdrqTjvt3RRElNAhhQiCr0mdCAKtQRmYf F2uG9sTqR4I1UhJ42WcJdUuRXPhAJ+ktRNWZBhTnxAF8+qONl2ELeBRXuLtmdY6gIv+MCQWY wDDYmGa2Jj8Bb2U3sJUeBVoFXqBH0qCnV1L0ClcJhRz87E6XZADwaX3ro0P7SCXQUm/Fe5Yh VQc3+0y7YHV8WM0kZmXo49BY9U9Z9lKmSRVyN89ZV3YVRF1d4N3VCZrr82OF2Qhx2hBbiGCs hJKv1et7DJK2hb4AAAAAAAA=
--------------ms040909050407040108060207--
--- Synchronet 3.18a-Linux NewsLink 1.113

From Bob Harold@rharolde@umich.edu to Grant Taylor on Wed May 13 16:06:53 2020

From Newsgroup: comp.protocols.dns.bind

--000000000000bb318a05a58d1ff9
Content-Type: text/plain; charset="UTF-8"

On Wed, May 13, 2020 at 3:49 PM Grant Taylor via bind-users < bind-users@lists.isc.org> wrote:

On 5/13/20 6:29 AM, Bob Harold wrote:

Your ACL looks right. I think Ben has the key - Windows uses GSS-TSIG,
not regular TSIG. Not sure how or if that can be solved.

I would bet someone a coffee and doughnut that it can.

Check out Jan-Piet Mens' article:

Link - RFC 2136 Dynamic DNS Updates using GSS-TSIG and Kerberos
-

https://jpmens.net/2012/06/29/dynamic-dns-updates-using-gss-tsig-and-kerberos/

--
Grant. . . .
unix || die

Thanks for the link. Lots of pieces to get working there. Not nearly as simple as TSIG. But good if you are already using Kerberos.

--
Bob Harold

--000000000000bb318a05a58d1ff9
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><br></div><div class=3D"gmail_quote"><div=
dir=3D"ltr" class=3D"gmail_attr">On Wed, May 13, 2020 at 3:49 PM Grant Tay= lor via bind-users <<a href=3D"mailto:bind-users@lists.isc.org">bind-use= rs@lists.isc.org</a>> wrote:<br></div><blockquote class=3D"gmail_quote" = style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);pa= dding-left:1ex">On 5/13/20 6:29 AM, Bob Harold wrote:<br>
> Your ACL looks right.=C2=A0 I think Ben has the key - Windows uses GSS= -TSIG, <br>
> not regular TSIG.=C2=A0 Not sure how or if that can be solved.<br>

I would bet someone a coffee and doughnut that it can.<br>

Check out Jan-Piet Mens' article:<br>

Link - RFC 2136 Dynamic DNS Updates using GSS-TSIG and Kerberos<br>
=C2=A0 - <br>
<a href=3D"https://jpmens.net/2012/06/29/dynamic-dns-updates-using-gss-tsig= -and-kerberos/" rel=3D"noreferrer" target=3D"_blank">https://jpmens.net/201= 2/06/29/dynamic-dns-updates-using-gss-tsig-and-kerberos/</a><br>

-- <br>
Grant. . . .<br>
unix || die<br></blockquote><div><br></div><div>Thanks for the link.=C2=A0 = Lots of pieces to get working there.=C2=A0 Not nearly as simple as TSIG.=C2= =A0 But good if you are already using Kerberos.</div><div><br></div><div>--= =C2=A0</div><div>Bob Harold</div><div>=C2=A0</div></div></div>

--000000000000bb318a05a58d1ff9--
--- Synchronet 3.18a-Linux NewsLink 1.113

From Paul Ebersman@list-bind-users@dragon.net to Bob Harold on Wed May 13 16:35:02 2020

From Newsgroup: comp.protocols.dns.bind

rharolde> Thanks for the link. Lots of pieces to get working there. Not rharolde> nearly as simple as TSIG. But good if you are already using
rharolde> Kerberos.

MS active directory is kerberos under the hood. You don't need to run a
classic mit/hesiod KDC to get GSS-TSIG to work. But it is cryptic and a
pain.
--- Synchronet 3.18a-Linux NewsLink 1.113

From Pete Fry@cadel2010@googlemail.com to Bob Harold on Thu May 14 09:00:21 2020

From Newsgroup: comp.protocols.dns.bind

--0000000000004bab1805a597173b
Content-Type: text/plain; charset="UTF-8"

Bob

after a few wireshark sessions etc we have identified this issue is due to
NAT from one of the sites we are sorting this out now and hopefully it
should fix

thanks for your help

On Wed, 13 May 2020 at 13:30, Bob Harold <rharolde@umich.edu> wrote:

On Wed, May 13, 2020 at 3:20 AM Pete Fry <cadel2010@googlemail.com> wrote:

Bob
thanks for the reply and the correction ( the acl dones't have a ! it was
a cut and paste error when i was trying to remove some information.

the TSIG works when from other linux machine via nsupdate etc, however
i'm trying to figure out how to get the windows machines to do the same and >> was trying to follow this

http://serverfault.com/questions/376578/bind9-combining-key-and-acl-for-
allow-update

Regards

Pete

Your ACL looks right. I think Ben has the key - Windows uses GSS-TSIG,
not regular TSIG. Not sure how or if that can be solved.

--
Bob Harold

On Tue, 12 May 2020 at 13:40, Bob Harold <rharolde@umich.edu> wrote:

On Tue, May 12, 2020 at 5:57 AM Pete Fry via bind-users <
bind-users@lists.isc.org> wrote:

All

I've inherited a BIND environment and i'm trying to understand a few
things as currently we are experiences an issue related to DDNS.

we have

site 1
hostA

site 2
hostB

We have a HArecord, and we want HostA or HostB to be able to update the >>>> HArecord (i.e. failover cluster type configuration)

config:
Zone file:

zone "TEST" {
check-names ignore;
type master;
file "/var/named/dynamic/TEST";
allow-update {
auth-dns;
dynamic-TEST;
};
};

lists.conf

acl dynamic-update-ads {
192.168.2.1 // hostA
192.168.5.1 // hostB
dynamic-TEST-tsig;
};

acl dynamic-TEST-tsig {
// any host which is not..
!{
// not in the new acls
!dynamic-test-site1;
!dynamic-test-site2;
any;
};
// but has the key
key TEST-key;
};

For testing purposes, start with a simpler acl, like:

acl dynamic-TEST-tsig {
key TEST-key;
};

And see if that works.

acl !dynamic-test-site1 {
192.168.2.1/32; // HostA
};

acl !dynamic-test-site2 {
192.168.5.1/32; // HostB
};

"acl !" seems wrong to me. Is that a legal syntax? And if so, what
does it mean?

--
Bob Harold

however these windows machines keep saying bad key, I know i'm missing something obvious but how do i get this to work?

happy to be able to give the key to the windows boxes if anyone knows but i'm drawing a blank

Regards

Cade

--0000000000004bab1805a597173b
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Bob<div><br></div><div>after a few wireshark sessions etc =
we have identified=C2=A0this issue=C2=A0is due to NAT from one of the sites=
we are sorting this out now and hopefully it should fix</div><div><br></di= v><div>thanks for your help</div></div><br><div class=3D"gmail_quote"><div = dir=3D"ltr" class=3D"gmail_attr">On Wed, 13 May 2020 at 13:30, Bob Harold &= lt;<a href=3D"mailto:rharolde@umich.edu">rharolde@umich.edu</a>> wrote:<= br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8e= x;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"= ><div dir=3D"ltr"><br></div><div class=3D"gmail_quote"><div dir=3D"ltr" cla= ss=3D"gmail_attr">On Wed, May 13, 2020 at 3:20 AM Pete Fry <<a href=3D"m= ailto:cadel2010@googlemail.com" target=3D"_blank">cadel2010@googlemail.com<= /a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0=
px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><= div dir=3D"ltr">Bob<div>thanks for the reply and the correction ( the acl d= ones't=C2=A0have a ! it was a cut and paste error when i was trying to = remove some information.</div><div><br></div><div>the TSIG works when from = other linux machine via nsupdate etc, however i'm trying to figure out = how to get the windows machines to do the same and was trying to follow thi= s</div><div><br></div><div><code><span>http</span>://<span>serverfault</spa= n>.<span>com</span>/<span>questions</span>/<span>376578</span>/<span>bind9<= /span>-<span>combining</span>-<span>key</span>-<span>and</span>-<span>acl</= span>-<span>for</span>-<span>allow</span>-<span>update</span></code>=C2=A0<= /div><div><br></div><div>Regards</div><div><br></div><div>Pete=C2=A0</div><= /div></blockquote><div><br></div><div><br></div><div>Your ACL looks right.= =C2=A0 I think Ben has the key - Windows uses GSS-TSIG, not regular TSIG.= =C2=A0 Not sure how or if that can be solved.</div><div><br></div><div>--= =C2=A0</div><div>Bob Harold</div><div><br></div><div>=C2=A0</div><blockquot=
e class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px s= olid rgb(204,204,204);padding-left:1ex"><div class=3D"gmail_quote"><div dir= =3D"ltr" class=3D"gmail_attr">On Tue, 12 May 2020 at 13:40, Bob Harold <=
<a href=3D"mailto:rharolde@umich.edu" target=3D"_blank">rharolde@umich.edu<= /a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0=
px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><= div dir=3D"ltr"><div dir=3D"ltr"><br></div><div class=3D"gmail_quote"><div = dir=3D"ltr" class=3D"gmail_attr">On Tue, May 12, 2020 at 5:57 AM Pete Fry v=
ia bind-users <<a href=3D"mailto:bind-users@lists.isc.org" target=3D"_bl= ank">bind-users@lists.isc.org</a>> wrote:<br></div><blockquote class=3D"= gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(20= 4,204,204);padding-left:1ex"><div dir=3D"ltr">All<div><br></div><div>I'=
ve inherited a BIND environment=C2=A0and i'm trying to understand a few=
things as currently we are experiences an issue related to DDNS.</div><div= ><br></div><div>we have=C2=A0</div><div><br></div><div>site 1</div><div><di=
v style=3D"box-sizing:border-box;font-family:"Segoe UI",system-ui= ,"Apple Color Emoji","Segoe UI Emoji",sans-serif;font-s= ize:14px">hostA</div><div style=3D"box-sizing:border-box;font-family:"= Segoe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji= ",sans-serif;font-size:14px"><br></div><div style=3D"box-sizing:border= -box;font-family:"Segoe UI",system-ui,"Apple Color Emoji&quo= t;,"Segoe UI Emoji",sans-serif;font-size:14px">site 2</div><div s= tyle=3D"box-sizing:border-box;font-family:"Segoe UI",system-ui,&q= uot;Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size= :14px">hostB</div><div style=3D"box-sizing:border-box;font-family:"Seg=
oe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji&qu= ot;,sans-serif;font-size:14px"><br></div><div style=3D"box-sizing:border-bo= x;font-family:"Segoe UI",system-ui,"Apple Color Emoji",= "Segoe UI Emoji",sans-serif;font-size:14px">We have a HArecord, a=
nd we want HostA or HostB to be able to update the HArecord=C2=A0(i.e. fail= over cluster type configuration)</div></div><div style=3D"box-sizing:border= -box;font-family:"Segoe UI",system-ui,"Apple Color Emoji&quo= t;,"Segoe UI Emoji",sans-serif;font-size:14px"><br></div><div sty= le=3D"box-sizing:border-box;font-family:"Segoe UI",system-ui,&quo= t;Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:1= 4px">config:</div><div style=3D"box-sizing:border-box;font-family:"Seg=
oe UI",system-ui,"Apple Color Emoji","Segoe UI Emoji&qu= ot;,sans-serif;font-size:14px">Zone file:</div><div style=3D"box-sizing:bor= der-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji&= quot;,"Segoe UI Emoji",sans-serif;font-size:14px"><br></div><div = style=3D"box-sizing:border-box;font-family:"Segoe UI",system-ui,&= quot;Apple Color Emoji","Segoe UI Emoji",sans-serif;font-siz= e:14px">zone "TEST" {<br>=C2=A0 =C2=A0 check-names ignore;<br>=C2= =A0 =C2=A0 type master;<br>=C2=A0 =C2=A0 file "/var/named/dynamic/TEST= ";<br>=C2=A0 =C2=A0 allow-update {<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 auth= -dns;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 dynamic-TEST;<br>=C2=A0 =C2=A0 };<br>}= ;<br></div><div style=3D"box-sizing:border-box;font-family:"Segoe UI&q= uot;,system-ui,"Apple Color Emoji","Segoe UI Emoji",san= s-serif;font-size:14px"><br></div><div style=3D"box-sizing:border-box;font-= family:"Segoe UI",system-ui,"Apple Color Emoji","S= egoe UI Emoji",sans-serif;font-size:14px">lists.conf</div><div style= =3D"box-sizing:border-box;font-family:"Segoe UI",system-ui,"= Apple Color Emoji","Segoe UI Emoji",sans-serif;font-size:14p= x"><br></div><div style=3D"box-sizing:border-box;font-family:"Segoe UI= ",system-ui,"Apple Color Emoji","Segoe UI Emoji",s= ans-serif;font-size:14px">acl dynamic-update-ads { <br>=C2=A0 =C2=A0192.168=
.2.1 // hostA<br>=C2=A0 =C2=A0192.168.5.1 // hostB <br>=C2=A0 =C2=A0dynami=
c-TEST-tsig; <br>};<br></div><div style=3D"box-sizing:border-box;font-famil= y:"Segoe UI",system-ui,"Apple Color Emoji","Segoe =
UI Emoji",sans-serif;font-size:14px"><br></div><div style=3D"box-sizin= g:border-box;font-family:"Segoe UI",system-ui,"Apple Color E= moji","Segoe UI Emoji",sans-serif;font-size:14px">acl dynami= c-TEST-tsig {<br>=C2=A0 =C2=A0// any host which is not..<br>=C2=A0 =C2=A0!{= <br>=C2=A0 =C2=A0 =C2=A0 // not in the new acls<br>=C2=A0 =C2=A0 =C2=A0 !dy= namic-test-site1;<br>=C2=A0 =C2=A0 =C2=A0 !dynamic-test-site2;<br>=C2=A0 = =C2=A0 =C2=A0 any;<br>=C2=A0 =C2=A0};<br>=C2=A0 =C2=A0// but has the key<br= >=C2=A0 =C2=A0key TEST-key;<br>};<br></div></div></blockquote><div><br></di= v><div>For testing purposes, start with a simpler acl, like:<br></div><div>= <br></div><div>acl dynamic-TEST-tsig {<br></div><div>=C2=A0 =C2=A0key TEST-= key;<br>};<br></div><div><br></div><div>And see if that works.</div><div>= =C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0= .8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"l= tr"><div style=3D"box-sizing:border-box;font-family:"Segoe UI",sy= stem-ui,"Apple Color Emoji","Segoe UI Emoji",sans-serif= ;font-size:14px"><br>acl !dynamic-test-site1 {<br> <a href=3D"http://192.16=
8.2.1/32" target=3D"_blank">192.168.2.1/32</a>; // HostA<br>};<br><br>acl != dynamic-test-site2 {<br> <a href=3D"http://192.168.5.1/32" target=3D"_blank=
">192.168.5.1/32</a>; // HostB<br>};<br></div><div style=3D"box-sizing:bord= er-box;font-family:"Segoe UI",system-ui,"Apple Color Emoji&q= uot;,"Segoe UI Emoji",sans-serif;font-size:14px"><pre lang=3D"con= f"><span id=3D"gmail-m_-160562985105215484gmail-m_1799513623007707470gmail-= m_-4701656668234550113gmail-m_2062855817749687786gmail-LC155" lang=3D"conf"= ></span></pre></div></div></blockquote><div><br></div><div>"acl !&quot=
; seems wrong to me.=C2=A0 Is that a legal syntax?=C2=A0 And if so, what do=
es it mean?</div><div><br></div><div>--=C2=A0</div><div>Bob Harold</div><di= v>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px=
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D= "ltr"><div style=3D"box-sizing:border-box;font-family:"Segoe UI",= system-ui,"Apple Color Emoji","Segoe UI Emoji",sans-ser= if;font-size:14px"><pre lang=3D"conf"></pre><pre lang=3D"conf">however thes=
e windows machines keep saying bad key, I know i'm missing something ob= vious but how do i get this to work?</pre><pre lang=3D"conf">happy to be ab=
le to give the key to the windows boxes if anyone knows but i'm drawing=
a blank</pre><pre lang=3D"conf">Regards</pre><pre lang=3D"conf">Cade</pre>= </div></div></blockquote><div>=C2=A0</div></div></div>
</blockquote></div>
</blockquote></div></div>
</blockquote></div>

--0000000000004bab1805a597173b--
--- Synchronet 3.18a-Linux NewsLink 1.113

Who's Online
Recent Visitors
- Microbot
  Sat Aug 23 00:05:56 2025
  from Moore, Ok via Telnet
- Noozle
  Fri Aug 22 11:07:42 2025
  from Noozle City via Telnet
- Microbot
  Fri Aug 22 01:53:59 2025
  from Moore, Ok via Telnet
- Microbot
  Thu Aug 21 03:21:53 2025
  from Moore, Ok via Telnet

System Info

Sysop:	DaiTengu
Location:	Appleton, WI
Users:	1,064
Nodes:	10 (0 / 10)
Uptime:	150:01:44
Calls:	13,691
Calls today:	1
Files:	186,936
D/L today:	438 files (115M bytes)
Messages:	2,410,972

TSIG DDNS and windows clients

Who's Online

Recent Visitors

System Info