[Pdns-users] 3.4-rc1 with ddns, tsig and bind's allow-update-forwarding

Fri Aug 22 08:07:56 UTC 2014

Hi Martin,

I'm running virtually the same config but do not have this issue.
Would it be possible for you to create a tcpdump/pcap file so i can replay the message on my end?

Just to be sure, the tsigkeys table should have 'hmac-md5' as algoritm.
Could you also tell us what version of dhcpd you're running?

Regards,
	Ruben

On Fri, Aug 22, 2014 at 03:03:16PM +0900, Martin Chandler wrote:
> Hi Ruben,
> 
> >Could you provide some logging from powerdns?
> >It should note/show what's it doing on that end...
> 
> I added the following to pdns.conf:
> loglevel=9
> log-dns-details=yes
> log-dns-queries=yes
> query-logging=yes
> 
> and this is all that pdns logs during the dhcp transaction:
> 
> Aug 22 14:58:50 ddnstest1 pdns[1246]: TCP Remote 127.0.0.1 wants
> 'example.com|SOA', do = 0, bufsize = 512: packetcache MISS
> Aug 22 14:58:50 ddnstest1 pdns[1246]: Query: select algorithm,
> secret from tsigkeys where name=E'ddns_update'
> Aug 22 14:58:50 ddnstest1 pdns[1246]: Packet for domain
> 'example.com' denied: TSIG signature mismatch using 'ddns_update'
> and algorithm 'hmac-md5.sig-alg.reg.int.'
> Aug 22 14:58:50 ddnstest1 pdns[1246]: Received a TSIG signed message
> with a non-validating key
> 
> Thanks,
> Martin
> 
> 
> >
> >Regards,
> >Ruben
> >
> >On 22 August 2014 04:40:57 CEST, Martin Chandler <mchandler at aventer.net>
> >wrote:
> >
> >    Hi,
> >
> >    I have been playing with the new dynamic dns feature of authoritative
> >    server 3.4.0-rc1, and have a question regarding interaction when using
> >    pdns as a hidden master in conjunction with bind 9.3 with the
> >    allow-update-forwading setting.
> >    (please excuse me if this is more of a BIND issue)
> >
> >    In short, the TSIG request bind forwards does not seem to work.
> >
> >    My log looks like this (server is ubuntu 14.04) when a client (also
> >    ubuntu 14.04) requests an IP address:
> >
> >    Aug 22 10:39:27 ddnstest1 dhcpd: DHCPDISCOVER from 52:54:00:41:5f:23 via
> >    eth1
> >    Aug 22 10:39:28 ddnstest1 dhcpd: DHCPOFFER on172.16.100.34  <http://172.16.100.34>  to
> >    52:54:00:41:5f:23 (client-ubuntu) via eth1
> >    Aug 22 10:39:28 ddnstest1 named[1422]: client127.0.0.1  <http://127.0.0.1>#2532/key
> >    ddns_update: signer "ddns_update" approved
> >    Aug 22 10:39:28 ddnstest1 named[1422]: client127.0.0.1  <http://127.0.0.1>#2532/key
> >    ddns_update: forwarding update for zone 'example.com/IN  <http://example.com/IN>'
> >    Aug 22 10:39:28 ddnstest1 pdns[1248]: Packet for domain 'example.com  <http://example.com>'
> >    denied: TSIG signature mismatch using 'ddns_update' and algorithm
> >    'hmac-md5.sig-alg.reg.int  <http://hmac-md5.sig-alg.reg.int>.'
> >    Aug 22 10:39:28 ddnstest1 named[1422]: zoneexample.com/IN  <http://example.com/IN>: forwarded
> >    dynamic update: master127.0.0.1  <http://127.0.0.1>#54 returned: REFUSED
> >    Aug 22 10:39:28 ddnstest1 dhcpd: DHCPREQUEST for172.16.100.34  <http://172.16.100.34>
> >    (172.16.100.5  <http://172.16.100.5>) from 52:54:00:41:5f:23 (client-ubuntu) via eth1
> >    Aug 22 10:39:28 ddnstest1 dhcpd: DHCPACK on172.16.100.34  <http://172.16.100.34>  to
> >    52:54:00:41:5f:23 (client-ubuntu) via eth1
> >    Aug 22 10:39:28 ddnstest1 d
> >      hcpd:
> >    Unable to add forward map from
> >    client-ubuntu.example.com  <http://client-ubuntu.example.com>  to172.16.100.34  <http://172.16.100.34>: expected a TSIG or SIG(0)
> >
> >    I have PowerDNS set up to run on port 54 as a hidden master to a BIND
> >    slave on port 53.  The dhcp server also runs on the same machine.
> >
> >    pdns.conf:
> >
> >    master=yes
> >    experimental-dnsupdate=yes
> >    allow-dnsupdate-from=
> >    local-port=54
> >    query-local-address=127.0.0.1  <http://127.0.0.1>
> >    launch=gpgsql
> >    gpgsql-dnssec=yes
> >
> >    powerdns=# select * from domains;
> >      id |          name           | master | last_check |  type  |
> >    notified_serial | account
> >    ----+-------------------------+--------+------------+--------+-----------------+---------
> >       1 |example.com  <http://example.com>              |        |            | MASTER |
> >    2014082206 |
> >
> >    powerdns=# select * from domainmetadata;
> >      id |
> >    domain_id |         kind         |     content
> >    ----+-----------+----------------------+-----------------
> >       1 |         1 | ALLOW-DNSUPDATE-FROM |172.16.100.0/24  <http://172.16.100.0/24>
> >       3 |         1 | SOA-EDIT-DNSUPDATE   | DEFAULT
> >       9 |         1 | ALLOW-DNSUPDATE-FROM |127.0.0.1/32  <http://127.0.0.1/32>
> >      14 |         1 | TSIG-ALLOW-DNSUPDATE | ddns_update
> >
> >    powerdns=# select * from tsigkeys;
> >      id |    name     |         algorithm         |          secret
> >    ----+-------------+---------------------------+--------------------------
> >       1 | ddns_update | hmac-md5                  | hdD/wdMScNJhp0Dgpm6q8Q==
> >       2 | ddns_update |hmac-md5.sig-alg.reg.int  <http://hmac-md5.sig-alg.reg.int>. | hdD/wdMScNJhp0Dgpm6q8Q==
> >
> >    (I have tried with only one or the other of the above)
> >
> >
> >    named.conf:
> >    options {
> >      directory "/var/cache/bind";
> >      dnssec-validation auto;
> >
> >    auth-nxdomain no;    # conform to RFC1035
> >      listen-on-v6 { any; };
> >      allow-recursion {172.16.100.0/24  <http://172.16.100.0/24>; };
> >    };
> >    key ddns_update {
> >      algorithm hmac-md5;
> >      secret "hdD/wdMScNJhp0Dgpm6q8Q==";
> >    };
> >    zone "example.com  <http://example.com>" {
> >      type slave;
> >      file "slaves/example.com  <http://example.com>.zone";
> >      masters port 54 {127.0.0.1  <http://127.0.0.1>; };
> >      allow-query { any; };
> >      allow-update-forwarding { any; };
> >    };
> >
> >    dhcpd.conf:
> >    authoritative;
> >    ddns-update-style       interim;
> >    ddns-updates            on;
> >    ignore                  client-updates;
> >    update-static-leases    on;
> >
> >    subnet172.16.100.0  <http://172.16.100.0>  netmask255.255.255.0  <http://255.255.255.0>  {
> >             range172.16.100.5  <http://172.16.100.5>  172.16.100.127  <http://172.16.100.127>;
> >
> >
> >    option domain-name-servers172.16.100.5  <http://172.16.100.5>;
> >             option subnet-mask255.255.255.0  <http://255.255.255.0>;
> >             option broadcast-address172.16.100.255  <http://172.16.100.255>;
> >             option routers172.16.100.5  <http://172.16.100.5>;
> >             option domain-name "example.com  <http://example.com>";
> >    }
> >    key ddns_update {
> >             algorithm hmac-md5;
> >             secret "hdD/wdMScNJhp0Dgpm6q8Q==";
> >    }
> >    zoneexample.com  <http://example.com>. {
> >             primary127.0.0.1  <http://127.0.0.1>;
> >             key ddns_update;
> >    }
> >
> >    If I remove BIND from the equation and have dhcpd talk directly to
> >    PowerDNS, everything goes fine, so it is something about forwarding that
> >    is not working.
> >
> >    Any suggestions would be appreciated.
> >
> >    Thanks,
> >    Martin
> >
> >    ------------------------------------------------------------------------
> >
> >    Pdns-users mailing list
> >    Pdns-users at mailman.powerdns.com
> >    http://mailman.powerdns.com/mailman/listinfo/pdns-users
> >
> >
> >--
> >Sent from my Android device with K-9 Mail. Please excuse my brevity.