[Pdns-users] 3.4-rc1 with ddns, tsig and bind's allow-update-forwarding

Martin Chandler mchandler at aventer.net
Fri Aug 22 02:40:57 UTC 2014


Hi,

I have been playing with the new dynamic dns feature of authoritative
server 3.4.0-rc1, and have a question regarding interaction when using
pdns as a hidden master in conjunction with bind 9.3 with the
allow-update-forwading setting.
(please excuse me if this is more of a BIND issue)

In short, the TSIG request bind forwards does not seem to work.

My log looks like this (server is ubuntu 14.04) when a client (also
ubuntu 14.04) requests an IP address:

Aug 22 10:39:27 ddnstest1 dhcpd: DHCPDISCOVER from 52:54:00:41:5f:23 via
eth1
Aug 22 10:39:28 ddnstest1 dhcpd: DHCPOFFER on 172.16.100.34 to
52:54:00:41:5f:23 (client-ubuntu) via eth1
Aug 22 10:39:28 ddnstest1 named[1422]: client 127.0.0.1#2532/key
ddns_update: signer "ddns_update" approved
Aug 22 10:39:28 ddnstest1 named[1422]: client 127.0.0.1#2532/key
ddns_update: forwarding update for zone 'example.com/IN'
Aug 22 10:39:28 ddnstest1 pdns[1248]: Packet for domain 'example.com'
denied: TSIG signature mismatch using 'ddns_update' and algorithm
'hmac-md5.sig-alg.reg.int.'
Aug 22 10:39:28 ddnstest1 named[1422]: zone example.com/IN: forwarded
dynamic update: master 127.0.0.1#54 returned: REFUSED
Aug 22 10:39:28 ddnstest1 dhcpd: DHCPREQUEST for 172.16.100.34
(172.16.100.5) from 52:54:00:41:5f:23 (client-ubuntu) via eth1
Aug 22 10:39:28 ddnstest1 dhcpd: DHCPACK on 172.16.100.34 to
52:54:00:41:5f:23 (client-ubuntu) via eth1
Aug 22 10:39:28 ddnstest1 dhcpd: Unable to add forward map from
client-ubuntu.example.com to 172.16.100.34: expected a TSIG or SIG(0)

I have PowerDNS set up to run on port 54 as a hidden master to a BIND
slave on port 53.  The dhcp server also runs on the same machine.

pdns.conf:

master=yes
experimental-dnsupdate=yes
allow-dnsupdate-from=
local-port=54
query-local-address=127.0.0.1
launch=gpgsql
gpgsql-dnssec=yes

powerdns=# select * from domains;
 id |          name           | master | last_check |  type  |
notified_serial | account
----+-------------------------+--------+------------+--------+-----------------+---------
  1 | example.com             |        |            | MASTER |
2014082206 |

powerdns=# select * from domainmetadata;
 id | domain_id |         kind         |     content
----+-----------+----------------------+-----------------
  1 |         1 | ALLOW-DNSUPDATE-FROM | 172.16.100.0/24
  3 |         1 | SOA-EDIT-DNSUPDATE   | DEFAULT
  9 |         1 | ALLOW-DNSUPDATE-FROM | 127.0.0.1/32
 14 |         1 | TSIG-ALLOW-DNSUPDATE | ddns_update

powerdns=# select * from tsigkeys;
 id |    name     |         algorithm         |          secret
----+-------------+---------------------------+--------------------------
  1 | ddns_update | hmac-md5                  | hdD/wdMScNJhp0Dgpm6q8Q==
  2 | ddns_update | hmac-md5.sig-alg.reg.int. | hdD/wdMScNJhp0Dgpm6q8Q==

(I have tried with only one or the other of the above)


named.conf:
options {
	directory "/var/cache/bind";
	dnssec-validation auto;
	auth-nxdomain no;    # conform to RFC1035
	listen-on-v6 { any; };
	allow-recursion { 172.16.100.0/24; };
};
key ddns_update {
	algorithm hmac-md5;
	secret "hdD/wdMScNJhp0Dgpm6q8Q==";
};
zone "example.com" {
	type slave;
	file "slaves/example.com.zone";
	masters port 54 { 127.0.0.1; };
	allow-query { any; };
	allow-update-forwarding { any; };
};

dhcpd.conf:
authoritative;
ddns-update-style       interim;
ddns-updates            on;
ignore                  client-updates;
update-static-leases    on;

subnet 172.16.100.0 netmask 255.255.255.0 {
        range 172.16.100.5 172.16.100.127;
        option domain-name-servers 172.16.100.5;
        option subnet-mask 255.255.255.0;
        option broadcast-address 172.16.100.255;
        option routers 172.16.100.5;
        option domain-name "example.com";
}
key ddns_update {
        algorithm hmac-md5;
        secret "hdD/wdMScNJhp0Dgpm6q8Q==";
}
zone example.com. {
        primary 127.0.0.1;
        key ddns_update;
}

If I remove BIND from the equation and have dhcpd talk directly to
PowerDNS, everything goes fine, so it is something about forwarding that
is not working.

Any suggestions would be appreciated.

Thanks,
Martin




More information about the Pdns-users mailing list