Linux – BIND9: Combining key and ACL for allow-update

bindlinux

I have set up a BIND 9 server and configured cryptographic keys in order to allow updates from a client. Now in my named.conf, I have set the following:

allow-update { key dns1.example.org.; };

This works and I can perform updates (add, delete zone records) from my client (nsupdate command).

I am wondering if I can combine it with an ACL. Basically I want that the client needs the correct key, but also must come from a certain subnet or IP address. Can I do this somehow? I failed to find anything about that scenario in the docs.

Best Answer

Alcs are first match. If you exclude the addresses you want, you can reject all non matching addresses using any; then check that the key matches.

   allow-update { !{ !allowed; any; }; key keyname; };

Related Solutions

Debian – Setting up a DNS name server for a mass virtual host with Bind9

Looking at the IP addresses in your resolv.conf I get the feeling that your BIND server is on 192.168.1.52. As far as I can tell, you can't specify in resolv.conf something like "for these domains, use this name server". Basically, your BIND server will never be queried. As you can see in your dig lookup (which is incorrect, it is asking for a reverse DNS entry), it tries 80.58.0.33, which I assume is your provider's DNS server.

You already set up BIND as caching nameserver by using the 'forwarders' option, so what you need to do is have only 192.168.1.52 in the client PCs as nameserver.

To see if your BIND is configured correctly, try this:

dig example.test @192.168.1.52

Setting up bind to work with nsupdate (SERVFAIL)

I had pretty much exactly the same issue on an Ubuntu server and it turned out to be two problems:

(1) apparmor

I don't know if the same is true for Debian, but on Ubuntu bind9 is run with apparmor enabled. This means it is only allowed to write to certain places. The places are listed in /etc/apparmor.d/usr.sbin.named, and it is generally advisable to stay within these directories. You can install the apparmor-utils package and (temporarily) disable apparmor for bind to see if this causes your issue:

sudo aa-status

should show /usr/sbin/named in the list of enforced profiles. Then run

sudo aa-complain /usr/sbin/named

to put it into complain mode.

(2) zone file

Almost no manual/tutorial mentions this, but bind9 expects an (pre-)existing zone file to work properly. The end of file error could be caused by the fact that zone file doesn't exist yet (/etc/bind/primary/example.com and /etc/bind/primary/sub.example.com in your example). You can simply create one like this:

echo "; DO NOT EDIT MANUALLY - use the \"nsupdate\" utility to prevent data loss
;
\$ORIGIN example.com.
\$TTL 86400  ; 1 day
@    IN SOA  ns1.example.com. hostmaster.example.com. (
       2009074711 ; serial
       7200       ; refresh (2 hours)
       300        ; retry (5 minutes)
       604800     ; expire (1 week)
       60         ; minimum (1 minute)
       )
   IN  NS  ns1.example.com.
ns1    IN  A  <IP of your bind server>" | sudo -u bind tee /etc/bind/primary/example.com

Best Answer

Related Solutions

Debian – Setting up a DNS name server for a mass virtual host with Bind9

Setting up bind to work with nsupdate (SERVFAIL)

Related Topic