<html><head></head><body>Hi Martin,<br>
<br>
Could you provide some logging from powerdns?<br>
It should note/show what's it doing on that end...<br>
<br>
Regards,<br>
Ruben<br><br><div class="gmail_quote">On 22 August 2014 04:40:57 CEST, Martin Chandler <mchandler@aventer.net> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre class="k9mail">Hi,<br /><br />I have been playing with the new dynamic dns feature of authoritative<br />server 3.4.0-rc1, and have a question regarding interaction when using<br />pdns as a hidden master in conjunction with bind 9.3 with the<br />allow-update-forwading setting.<br />(please excuse me if this is more of a BIND issue)<br /><br />In short, the TSIG request bind forwards does not seem to work.<br /><br />My log looks like this (server is ubuntu 14.04) when a client (also<br />ubuntu 14.04) requests an IP address:<br /><br />Aug 22 10:39:27 ddnstest1 dhcpd: DHCPDISCOVER from 52:54:00:41:5f:23 via<br />eth1<br />Aug 22 10:39:28 ddnstest1 dhcpd: DHCPOFFER on <a href="http://172.16.100.34">172.16.100.34</a> to<br />52:54:00:41:5f:23 (client-ubuntu) via eth1<br />Aug 22 10:39:28 ddnstest1 named[1422]: client <a href="http://127.0.0.1">127.0.0.1</a>#2532/key<br />ddns_update: signer "ddns_update" approved<br />Aug 22 10:39:28 ddnstest1 named[1422]: client <a
href="http://127.0.0.1">127.0.0.1</a>#2532/key<br />ddns_update: forwarding update for zone '<a href="http://example.com/IN">example.com/IN</a>'<br />Aug 22 10:39:28 ddnstest1 pdns[1248]: Packet for domain '<a href="http://example.com">example.com</a>'<br />denied: TSIG signature mismatch using 'ddns_update' and algorithm<br />'<a href="http://hmac-md5.sig-alg.reg.int">hmac-md5.sig-alg.reg.int</a>.'<br />Aug 22 10:39:28 ddnstest1 named[1422]: zone <a href="http://example.com/IN">example.com/IN</a>: forwarded<br />dynamic update: master <a href="http://127.0.0.1">127.0.0.1</a>#54 returned: REFUSED<br />Aug 22 10:39:28 ddnstest1 dhcpd: DHCPREQUEST for <a href="http://172.16.100.34">172.16.100.34</a><br />(<a href="http://172.16.100.5">172.16.100.5</a>) from 52:54:00:41:5f:23 (client-ubuntu) via eth1<br />Aug 22 10:39:28 ddnstest1 dhcpd: DHCPACK on <a href="http://172.16.100.34">172.16.100.34</a> to<br />52:54:00:41:5f:23 (client-ubuntu) via eth1<br />Aug 22 10:39:28 ddnstest1 dhcpd:
Unable to add forward map from<br /><a href="http://client-ubuntu.example.com">client-ubuntu.example.com</a> to <a href="http://172.16.100.34">172.16.100.34</a>: expected a TSIG or SIG(0)<br /><br />I have PowerDNS set up to run on port 54 as a hidden master to a BIND<br />slave on port 53. The dhcp server also runs on the same machine.<br /><br />pdns.conf:<br /><br />master=yes<br />experimental-dnsupdate=yes<br />allow-dnsupdate-from=<br />local-port=54<br />query-local-address=<a href="http://127.0.0.1">127.0.0.1</a><br />launch=gpgsql<br />gpgsql-dnssec=yes<br /><br />powerdns=# select * from domains;<br /> id | name | master | last_check | type |<br />notified_serial | account<br />----+-------------------------+--------+------------+--------+-----------------+---------<br /> 1 | <a href="http://example.com">example.com</a> | | | MASTER |<br />2014082206 |<br /><br />powerdns=# select * from domainmetadata;<br /> id |
domain_id | kind | content<br />----+-----------+----------------------+-----------------<br /> 1 | 1 | ALLOW-DNSUPDATE-FROM | <a href="http://172.16.100.0/24">172.16.100.0/24</a><br /> 3 | 1 | SOA-EDIT-DNSUPDATE | DEFAULT<br /> 9 | 1 | ALLOW-DNSUPDATE-FROM | <a href="http://127.0.0.1/32">127.0.0.1/32</a><br /> 14 | 1 | TSIG-ALLOW-DNSUPDATE | ddns_update<br /><br />powerdns=# select * from tsigkeys;<br /> id | name | algorithm | secret<br />----+-------------+---------------------------+--------------------------<br /> 1 | ddns_update | hmac-md5 | hdD/wdMScNJhp0Dgpm6q8Q==<br /> 2 | ddns_update | <a href="http://hmac-md5.sig-alg.reg.int">hmac-md5.sig-alg.reg.int</a>. | hdD/wdMScNJhp0Dgpm6q8Q==<br /><br />(I have tried with only one or the other of the above)<br /><br /><br />named.conf:<br />options {<br /> directory "/var/cache/bind";<br /> dnssec-validation auto;<br />
auth-nxdomain no; # conform to RFC1035<br /> listen-on-v6 { any; };<br /> allow-recursion { <a href="http://172.16.100.0/24">172.16.100.0/24</a>; };<br />};<br />key ddns_update {<br /> algorithm hmac-md5;<br /> secret "hdD/wdMScNJhp0Dgpm6q8Q==";<br />};<br />zone "<a href="http://example.com">example.com</a>" {<br /> type slave;<br /> file "slaves/<a href="http://example.com">example.com</a>.zone";<br /> masters port 54 { <a href="http://127.0.0.1">127.0.0.1</a>; };<br /> allow-query { any; };<br /> allow-update-forwarding { any; };<br />};<br /><br />dhcpd.conf:<br />authoritative;<br />ddns-update-style interim;<br />ddns-updates on;<br />ignore client-updates;<br />update-static-leases on;<br /><br />subnet <a href="http://172.16.100.0">172.16.100.0</a> netmask <a href="http://255.255.255.0">255.255.255.0</a> {<br /> range <a href="http://172.16.100.5">172.16.100.5</a> <a href="http://172.16.100.127">172.16.100.127</a>;<br />
option domain-name-servers <a href="http://172.16.100.5">172.16.100.5</a>;<br /> option subnet-mask <a href="http://255.255.255.0">255.255.255.0</a>;<br /> option broadcast-address <a href="http://172.16.100.255">172.16.100.255</a>;<br /> option routers <a href="http://172.16.100.5">172.16.100.5</a>;<br /> option domain-name "<a href="http://example.com">example.com</a>";<br />}<br />key ddns_update {<br /> algorithm hmac-md5;<br /> secret "hdD/wdMScNJhp0Dgpm6q8Q==";<br />}<br />zone <a href="http://example.com">example.com</a>. {<br /> primary <a href="http://127.0.0.1">127.0.0.1</a>;<br /> key ddns_update;<br />}<br /><br />If I remove BIND from the equation and have dhcpd talk directly to<br />PowerDNS, everything goes fine, so it is something about forwarding that<br />is not working.<br /><br />Any suggestions would be appreciated.<br /><br />Thanks,<br />Martin<br /><br /><hr /><br />Pdns-users mailing list<br
/>Pdns-users@mailman.powerdns.com<br /><a href="http://mailman.powerdns.com/mailman/listinfo/pdns-users">http://mailman.powerdns.com/mailman/listinfo/pdns-users</a><br /></pre></blockquote></div><br>
-- <br>
Sent from my Android device with K-9 Mail. Please excuse my brevity.</body></html>