Slave DHCP and DynamicDNS can't update record

[nyu]

Hi all,

I setup 2 servers for DHCP and DDNS failover. But I see only Master DNS can update to db. file. When I disconnect Master, the Slave can release new IP to client but can't update record to db. file.
Error:

Code:

bdc named[878]: client 192.168.100.2#36203: signer "rndc-key" denied
Nov 28 22:42:22 bdc named[878]: client 192.168.100.2#36203: update forwarding 'systeminteg.com/IN' denied

Help me!!!.
Many thanks for any advance!!


I edit apparmor already for all DHCP and Bind

Code:

usr.sbin.dhcpd3
/etc/bind/ rw,
/etc/bind/** rw,

Code:

usr.sbin.named
/etc/bind/ rw,
/etc/bind/** rw,

This is my conf file


DHCP
Master:

Code:

include "/etc/dhcp3/dhcpd.failover";
include "/etc/dhcp3/dhcpd.ltspboot";
include "/etc/dhcp3/dhcpd.reserved";
include "/etc/dhcp3/dhcpd.subnet";
include "/etc/bind/rndc.key";


default-lease-time              521600;
max-lease-time                  521600;
ddns-update-style               interim;
ddns-domainname                 "systeminteg.com.";
ddns-rev-domainname             "in-addr.arpa.";
allow                           booting;
allow                           bootp;
ignore                          client-updates;
authoritative;

zone systeminteg.com. {
        primary 127.0.0.1;
        key rndc-key;
}


option subnet-mask              255.255.255.0;
option broadcast-address        192.168.100.255;
option routers                  192.168.100.14;
option domain-name-servers      192.168.100.1, 192.168.100.2;
option domain-name              "systeminteg.com";
option ip-forwarding            off;
option option-128 code 128 =    string;
option option-129 code 129 =    text;
option option-221 code 221 =    text;
use-host-decl-names             on;
#option log-servers             192.168.100.x;
log-facility                    local7;

zone systeminteg.com. {
        primary 192.168.100.1;
        key rndc-key;
}

zone 100.168.192.in-addr.arpa. {
        primary 192.168.100.1;
        key rndc-key;
}

Slave:

Code:

include "/etc/dhcp3/dhcpd.failover";
include "/etc/dhcp3/dhcpd.ltspboot";
include "/etc/dhcp3/dhcpd.reserved";
include "/etc/dhcp3/dhcpd.subnet";
include "/etc/bind/rndc.key";


default-lease-time              521600;
max-lease-time                  521600;
ddns-update-style               interim;
ddns-domainname                 "systeminteg.com.";
ddns-rev-domainname             "in-addr.arpa.";
allow                           booting;
allow                           bootp;
ignore                          client-updates;
authoritative;

zone systeminteg.com. {
        primary 127.0.0.1;
        key rndc-key;
}


option subnet-mask              255.255.255.0;
option broadcast-address        192.168.100.255;
option routers                  192.168.100.14;
option domain-name-servers      192.168.100.1, 192.168.100.2;
option domain-name              "systeminteg.com";
option ip-forwarding            off;
option option-128 code 128 =    string;
option option-129 code 129 =    text;
option option-221 code 221 =    text;
use-host-decl-names             on;
#option log-servers             192.168.100.x;
log-facility                    local7;

zone systeminteg.com. {
        primary 192.168.100.2;
        key rndc-key;
}

zone 100.168.192.in-addr.arpa. {
        primary 192.168.100.2;
        key rndc-key;
}

Bind9
Master:
named.conf.options

Code:

options {
        directory "/var/cache/bind";
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
        forwarders {
                8.8.8.8;
                8.8.2.2;
        };

        recursion yes;

        version "REFUSED";

        allow-recursion {
                127.0.0.1;
                192.168.100.0/24;
        };

        allow-query {
                127.0.0.1;
                192.168.100.0/24;
        };

};

controls {
        inet 127.0.0.1 allow { localhost; 192.168.100.1; 192.168.100.2; } keys { "rndc-key";};
};

named.conf.local

Code:

include "/etc/bind/rndc.key";

zone "systeminteg.com" in {
        type master;
        file "/etc/bind/db.systeminteg.com";
        allow-update { key "rndc-key";};
        allow-transfer { 192.168.100.2;};
        notify yes;
};

zone "100.168.192.in-addr.arpa" in {
        type master;
        file "/etc/bind/db.100.168.192";
        allow-update { key "rndc-key";};
        allow-transfer { 192.168.100.2;};
        notify yes;
};

Slave
named.conf.options

Code:

options {
        directory "/var/cache/bind";
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
        forwarders {
                8.8.8.8;
                8.8.2.2;
        };

        recursion yes;

        version "REFUSED";

        allow-recursion {
                127.0.0.1;
                192.168.100.0/24;
        };

        allow-query {
                127.0.0.1;
                192.168.100.0/24;
        };

};

controls {
        inet 127.0.0.1 allow { localhost; 192.168.100.1; 192.168.100.2; } keys { "rndc-key";};
};

named.conf.local

Code:

include "/etc/bind/rndc.key";

zone "systeminteg.com" in {
        type slave;
        masters { 192.168.100.1; };
        file "/etc/bind/db.systeminteg.com";
};

zone "100.168.192.in-addr.arpa" in {
        type slave;
        masters { 192.168.100.1; };
        file "/etc/bind/db.100.168.192";
};

[nyu]

Any comment???

Regards.