I have the following zone definition:
zone "madetoorder.software" {
type master;
file "/var/lib/bind/example.com.zone";
allow-transfer { trusted-servers; };
check-names warn;
update-policy {
grant local-ddns zonesub any;
grant letsencrypt_wildcard. name _acme-challenge.example.com. txt;
};
max-journal-size 2M;
};
As shown, it is expected to allow me to add and remove sub-domains (a.k.a. foo.example.com) using nsupdate. I tried the following but I'm getting a NOTAUTH error:
$ sudo nsupdate
> local 165.232.146.181
> zone madetoorder.software
> update delete ve-vlc.madetoorder.software.
> send
NOTAUTH
> update add ve-vlc.madetoorder.software. 60 A 165.232.146.181
> send
NOTAUTH
> quit
As we can see, the send command fails with a NOTAUTH.
I know the local-ddns key is loaded successfully since when I try without sudo I get the following error:
$ nsupdate -l
19-Apr-2022 21:50:16.831 open: //run/named/session.key: permission denied
can't read key from //run/named/session.key: permission denied
Looking at the file, it does look like a valid key. Just as expected.
Also, the letsencrypt changes to a TXT field work as expected. So what is wrong in:
grant local-ddns zonesub any
Note:
As shown in the zone definition, the .zone file is under /var/lib/bind. And the directory is owned by root:bind with permissions -rwxrwxr-x. The file itself has permissions -rw-------. So named (which runs as bind) has access to the files.
I found a solution to my issue.
I restarted
named.I'm not too sure what is happening. It looks like it is running:
But I can't access anything. It took me a little time to notice that the system was actually dead.
When I test using
dig @ns1.example.com www.example.comit fails when it's in that state. Yet the UDP port is open and as shown above, the status says OKAY (the bullet point is green in my console).I hope this helps someone else because it is a strange state.