文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >绑定nsupdate命令被拒绝错误

绑定nsupdate命令被拒绝错误
EN

Stack Overflow用户
提问于 2022-04-13 13:11:00
回答 2查看 619关注 0票数 0

我正在使用nsupdate命令更新名称区域,但是我收到错误消息更新失败:拒绝。我创建了密钥使用"rndc-confgen -a -c /etc/remote_rndc_ key“

我的named.conf如下所示

代码语言:javascript
复制
options {
        listen-on port 53 { 9.82.159.110; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        secroots-file   "/var/named/data/named.secroots";
        recursing-file  "/var/named/data/named.recursing";
        allow-query     { any; };
        allow-update {key remote_rndc_key; };
        recursion yes;
        dnssec-enable no;
        dnssec-validation no;
        pid-file "/run/named/named.pid";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity debug 3;
        };
};
zone "." IN {
        type hint;
        file "named.ca";
};
include "/etc/remote_rndc_key";
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
zone "test.com" IN {
        type master;
        file "test.com.zone";
};
zone "82.9.in-addr.arpa" IN {
        type master;
        file "test.com.local";
};
key "remote_rndc_key" {
        algorithm hmac-md5;
        secret "lWB9P5pwaqO3FEb7GsFZkw==";
};
controls {
        inet 9.82.159.110 port 953
                allow { 9.82.224.110; } keys { "remote_rndc_key"; };
 };

/etc/rndc_key:

代码语言:javascript
复制
key "rndc-key" {
        algorithm hmac-md5;
        secret "lWB9P5pwaqO3FEb7GsFZkw==";
};

/var/named/test.com.zone:

代码语言:javascript
复制
$TTL 1D
@       IN SOA  ns1  rname.invalid. (
                                        2019062901      ; serial
                                        5M      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns1
ns1     IN A    9.82.159.110
www     IN A    9.82.100.100

使用nsupdte:

代码语言:javascript
复制
[root@localhost tmp]# nsupdate -v -d  -k  ./remote_rndc_key
Creating key...
Creating key...
namefromtext
keycreate
> server 9.82.159.110
> update add ftps.test.com 600 A 1.1.1.2
> send
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:  40666
;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;ftps.test.com.                 IN      SOA

;; AUTHORITY SECTION:
test.com.               0       IN      SOA     ns1.test.com. rname.invalid. 2019062901 300 3600 604800 10800

;; TSIG PSEUDOSECTION:
rndc-key.               0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1649854961 300 16 MFdWnAJcNEQ17QovaBmzTw== 40666 NOERROR 0

Found zone name: test.com
The master is: ns1.test.com
Sending update to 9.82.159.110#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  59745
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
ftps.test.com.          600     IN      A       1.1.1.2

;; TSIG PSEUDOSECTION:
rndc-key.               0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1649854961 300 16 vJjzs0bT4QxHW40mL/MT7g== 59745 NOERROR 0


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:  59745
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;test.com.                      IN      SOA

;; TSIG PSEUDOSECTION:
rndc-key.               0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1649854961 300 16 FAcO+t5JUdOJdC1mRuHNeA== 59745 NOERROR 0

命名服务器日志如下:

代码语言:javascript
复制
[root@localhost named]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2022-04-13 20:36:14 CST; 29min ago
  Process: 3371415 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, >
  Process: 3371418 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 3371421 (named)
    Tasks: 35
   Memory: 88.8M
   CGroup: /system.slice/named.service
           └─3371421 /usr/sbin/named -u named -c /etc/named.conf

Apr 13 20:36:32 localhost.localdomain named[3371421]: client @0x7ff1f0108770 9.82.224.110#59471/key rndc-key: signer "rndc-key" denied

原因是什么?

bind9
EN

回答 2

Stack Overflow用户

发布于 2022-04-13 14:20:16

我混淆了密钥名和密钥文件名:

代码语言:javascript
复制
   /etc/remote_rndc_key:
    key "rndc-key" {
        algorithm hmac-md5;
        secret "lWB9P5pwaqO3FEb7GsFZkw==";
    };

应改为:

代码语言:javascript
复制
    key "remote_rndc_key" {
        algorithm hmac-md5;
        secret "lWB9P5pwaqO3FEb7GsFZkw==";
    };
票数 0
EN

Stack Overflow用户

发布于 2022-10-18 16:51:03

今天,我在我的“隐藏主”绑定dns服务器上发现了这个错误,并浪费了几个小时来找出故障的原因。

最后,我累了,又试了一次,然后成功了。

所以我的建议是:再试一次,可能是个错误。

票数 0
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/71858072

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档