關于SEC DDNS,搜索過了，沒找到結果，有請大家了

davis1220

Dns and bind 有第5版了，http://www.bookpool.com/sm/0596100574，哪位兄弟有嗎？
搜索過了論壇，看到了http://www.72891.cn/viewthread.php?tid=557811&extra=page%3D4，沒人回答啊
系統(tǒng)信息：
Cat /etc/redhat-release：Red Hat Enterprise Linux AS release 4 (Nahant Update 3)
Uname –a：Linux ser-linux.hedaofu.com 2.6.9-34.EL #1 Fri Feb 24 16:44:51 EST 2006 i686 i686 i386 GNU/Linux
./configure –-prefix=/usr/local/named
BIND9.3.2＋系統(tǒng)自帶的DHCPD3.01

目的，將上面的機器做DNS服務器，域為hedaofu.com，同時做網絡內的DHCP服務器，要求DNS實現(xiàn)安全的更新（不要用allow-update，用update-policy語句）。
問題，dhcpd.conf及named.conf均配置了相同的key ddns，OK，現(xiàn)在所有通過DHCP分配到IP的機器都可以動態(tài)更新了，但現(xiàn)在需讓固定IP為172.28.11.5的服務器server也能更新(其實這臺機器是windows的DC，DNS指向BIND，需要在hedaofu.com中添加記錄)，update-policy該怎么寫？

上網找了很多資料，這是dns and bind ,4th edition中的示例：
Here's a more complicated example: to allow all clients the ability to change any records, except SRV records, that are owned by the same domain name as their key name, but to allow matrix.fx.movie.edu to update SRV records associated with Windows 2000 (in the _udp.fx.movie.edu, _tcp.fx.movie.edu, _sites.fx.movie.edu, and _msdcs.fx.movie.edu subdomains), you could use:

1. 
   
2. zone "fx.movie.edu" {
   
3.         type master;
   
4.         file "db.fx.movie.edu";
   
5.         update-policy {
   
6.                 deny *.fx.movie.edu. self *.fx.movie.edu. SRV;
   
7.                 grant *.fx.movie.edu. self *.fx.movie.edu. ANY;
   
8.                 grant matrix.fx.movie.edu. subdomain _udp.fx.movie.edu. SRV;
   
9.                 grant matrix.fx.movie.edu. subdomain _tcp.fx.movie.edu. SRV;
   
10.                 grant matrix.fx.movie.edu. subdomain _sites.fx.movie.edu. SRV;
    
11.                 grant matrix.fx.movie.edu. subdomain _msdcs.fx.movie.edu. SRV;
    
12.         };
    
13. };
    

復制代碼

我的named.conf，去掉了log部分

1. 
   
2. options {
   
3. directory "/var/named";
   
4. forwarders {202.96.134.133;
   
5.             202.96.128.68;
   
6.           };
   
7. };
   
8. 
   
9. key "rndc-key" {
   
10.       algorithm hmac-md5;
    
11.       secret "BF4xHsYD0WNejL0Ao9xD3g==";
    
12. };
    
13. 
    
14. controls {
    
15.       inet 127.0.0.1 port 953
    
16.               allow { 127.0.0.1; } keys { "rndc-key"; };
    
17. };
    
18. 
    
19. key ddns {
    
20.          algorithm hmac-md5;
    
21.          secret "+apzjjN89Rg6ed79Rkm7KTBwqQo3Pbu2M32b8uBvtdm0ppBXcCmuUG0BRNjmhOPwp01zemnr77y8Kvth9WLVxA==";
    
22.                };
    
23. 
    
24. zone "11.28.172.in-addr.arpa" IN {
    
25. type master;
    
26. file "172.28.11";
    
27. update-policy {
    
28.                 grant ddns wildcard *.11.28.172.in-addr.arpa. ANY;
    
29.                 grant 172.28.11.* self *.11.28.172.in-addr.arpa. ANY;
    
30.                 grant 172.28.11.5 name 11.28.172.in-addr.arpa. ANY;
    
31.               };
    
32. };
    
33. 
    
34. zone "hedaofu.com" IN {
    
35. type master;
    
36. file "hedaofu.com";
    
37. update-policy {
    
38.                 grant ddns wildcard *.hedaofu.com. ANY;
    
39.                 grant *.hedaofu.com. self *.hedaofu.com. ANY;
    
40.                 grant server.hedaofu.com. name hedaofu.com. ANY;
    
41.                 grant server.hedaofu.com. self server.hedaofu.com. ANY;
    
42.                 grant server.hedaofu.com. wildcard *.hedaofu.com. ANY;
    
43.               };
    
44. };
    

復制代碼

我的Dhcpd.conf:

1. 
   
2. ddns-updates                on;
   
3. ddns-update-style           interim;
   
4. ddns-domainname             "hedaofu.com.";
   
5. ddns-rev-domainname         "in-addr.arpa.";
   
6. allow                       client-updates;
   
7. 
   
8. next-server 172.28.11.2;
   
9. filename "mba.pxe";
   
10. 
    
11. option domain-name                "hedaofu.com.";
    
12. option domain-name-servers        172.28.11.2;
    
13. option ntp-servers                172.28.11.2;
    
14. option netbios-name-servers        172.28.11.2;
    
15. 
    
16. default-lease-time              43200;
    
17. max-lease-time                  86400;
    
18. authoritative;
    
19. 
    
20. log-facility local7;
    
21. 
    
22. key ddns {
    
23.          algorithm hmac-md5;
    
24.          secret "+apzjjN89Rg6ed79Rkm7KTBwqQo3Pbu2M32b8uBvtdm0ppBXcCmuUG0BRNjmhOPwp01zemnr77y8Kvth9WLVxA==";
    
25.        };
    
26. 
    
27. 
    
28. subnet 172.28.11.0 netmask 255.255.255.0 {
    
29.         range                                 172.28.11.200 172.28.11.210;
    
30.         option routers                        172.28.11.254;
    
31.         option broadcast-address        172.28.11.255;
    
32.         allow                           unknown-clients;
    
33. 
    
34. 
    
35.         zone hedaofu.com. {
    
36.          primary 127.0.0.1;
    
37.          key ddns;
    
38.         }
    
39. 
    
40.         zone 11.28.172.in-addr.arpa. {
    
41.          primary 127.0.0.1;
    
42.          key ddns;
    
43.         }
    

復制代碼

davis1220

[root@ser-linux ~]# tail /var/log/messages
May 21 14:31:35 ser-linux named[2185]: client 172.28.11.5#1345: update 'hedaofu.com/IN' denied
May 21 14:31:35 ser-linux named[2185]: client 172.28.11.5#1349: update 'hedaofu.com/IN' denied
May 21 14:31:35 ser-linux named[2185]: client 172.28.11.5#1353: update 'hedaofu.com/IN' denied
May 21 14:31:35 ser-linux named[2185]: client 172.28.11.5#1357: update 'hedaofu.com/IN' denied
May 21 14:31:35 ser-linux named[2185]: client 172.28.11.5#1361: update 'hedaofu.com/IN' denied
May 21 14:31:35 ser-linux named[2185]: client 172.28.11.5#1365: update 'hedaofu.com/IN' denied
May 21 14:31:35 ser-linux named[2185]: client 172.28.11.5#1369: update 'hedaofu.com/IN' denied
May 21 14:31:35 ser-linux named[2185]: client 172.28.11.5#1373: update 'hedaofu.com/IN' denied
May 21 14:31:35 ser-linux named[2185]: client 172.28.11.5#1377: update 'hedaofu.com/IN' denied
May 21 14:31:36 ser-linux named[2185]: client 172.28.11.5#1381: update 'hedaofu.com/IN' denied
[root@ser-linux ~]#

davis1220

沒辦法，我只能臨時用allow-update了。但AD的LOG里還是有一兩個報錯說無法添加記錄，多數(shù)記錄已添加成功。
也許是我水平不行。感覺在有AD的情況下還是應該用WINDOWS自己的DNS服務器。

另外，從WINDOWS上傳文件到LINUX上我用FileZilla，選擇SFTP　USING　SSH2，連FTP都不用配置，對剛開始接觸LINUX的朋友們應該有點用的,（想當初我弄得很復雜�。�。