I am using nsupdate command to update a name zone, but I receive the error message update failed: REFUSED. I created the key use "rndc-confgen -a -c /etc/remote_rndc_key"
My named.conf is as follows
options {
listen-on port 53 { 9.82.159.110; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
allow-update {key remote_rndc_key; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
pid-file "/run/named/named.pid";
};
logging {
channel default_debug {
file "data/named.run";
severity debug 3;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/remote_rndc_key";
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
zone "test.com" IN {
type master;
file "test.com.zone";
};
zone "82.9.in-addr.arpa" IN {
type master;
file "test.com.local";
};
key "remote_rndc_key" {
algorithm hmac-md5;
secret "lWB9P5pwaqO3FEb7GsFZkw==";
};
controls {
inet 9.82.159.110 port 953
allow { 9.82.224.110; } keys { "remote_rndc_key"; };
};
/etc/remote_rndc_key:
key "rndc-key" {
algorithm hmac-md5;
secret "lWB9P5pwaqO3FEb7GsFZkw==";
};
/var/named/test.com.zone:
$TTL 1D
@ IN SOA ns1 rname.invalid. (
2019062901 ; serial
5M ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1
ns1 IN A 9.82.159.110
www IN A 9.82.100.100
use nsupdte:
[root@localhost tmp]# nsupdate -v -d -k ./remote_rndc_key
Creating key...
Creating key...
namefromtext
keycreate
> server 9.82.159.110
> update add ftps.test.com 600 A 1.1.1.2
> send
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40666
;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;ftps.test.com. IN SOA
;; AUTHORITY SECTION:
test.com. 0 IN SOA ns1.test.com. rname.invalid. 2019062901 300 3600 604800 10800
;; TSIG PSEUDOSECTION:
rndc-key. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1649854961 300 16 MFdWnAJcNEQ17QovaBmzTw== 40666 NOERROR 0
Found zone name: test.com
The master is: ns1.test.com
Sending update to 9.82.159.110#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 59745
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
ftps.test.com. 600 IN A 1.1.1.2
;; TSIG PSEUDOSECTION:
rndc-key. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1649854961 300 16 vJjzs0bT4QxHW40mL/MT7g== 59745 NOERROR 0
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 59745
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;test.com. IN SOA
;; TSIG PSEUDOSECTION:
rndc-key. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1649854961 300 16 FAcO+t5JUdOJdC1mRuHNeA== 59745 NOERROR 0
named server log as below:
[root@localhost named]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2022-04-13 20:36:14 CST; 29min ago
Process: 3371415 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, >
Process: 3371418 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 3371421 (named)
Tasks: 35
Memory: 88.8M
CGroup: /system.slice/named.service
└─3371421 /usr/sbin/named -u named -c /etc/named.conf
Apr 13 20:36:32 localhost.localdomain named[3371421]: client @0x7ff1f0108770 9.82.224.110#59471/key rndc-key: signer "rndc-key" denied
What can be the reason?
/etc/named.conf:
/etc/remote_rndc_key: