[Pdns-users] 3.4-rc1 with ddns, tsig and bind's allow-update-forwarding

Ruben d'Arco cyclops at prof-x.net
Fri Aug 22 05:46:04 UTC 2014 

Hi Martin,

Could you provide some logging from powerdns?
It should note/show what's it doing on that end...

Regards,
    Ruben

On 22 August 2014 04:40:57 CEST, Martin Chandler <mchandler at aventer.net> wrote:
>Hi,
>
>I have been playing with the new dynamic dns feature of authoritative
>server 3.4.0-rc1, and have a question regarding interaction when using
>pdns as a hidden master in conjunction with bind 9.3 with the
>allow-update-forwading setting.
>(please excuse me if this is more of a BIND issue)
>
>In short, the TSIG request bind forwards does not seem to work.
>
>My log looks like this (server is ubuntu 14.04) when a client (also
>ubuntu 14.04) requests an IP address:
>
>Aug 22 10:39:27 ddnstest1 dhcpd: DHCPDISCOVER from 52:54:00:41:5f:23
>via
>eth1
>Aug 22 10:39:28 ddnstest1 dhcpd: DHCPOFFER on 172.16.100.34 to
>52:54:00:41:5f:23 (client-ubuntu) via eth1
>Aug 22 10:39:28 ddnstest1 named[1422]: client 127.0.0.1#2532/key
>ddns_update: signer "ddns_update" approved
>Aug 22 10:39:28 ddnstest1 named[1422]: client 127.0.0.1#2532/key
>ddns_update: forwarding update for zone 'example.com/IN'
>Aug 22 10:39:28 ddnstest1 pdns[1248]: Packet for domain 'example.com'
>denied: TSIG signature mismatch using 'ddns_update' and algorithm
>'hmac-md5.sig-alg.reg.int.'
>Aug 22 10:39:28 ddnstest1 named[1422]: zone example.com/IN: forwarded
>dynamic update: master 127.0.0.1#54 returned: REFUSED
>Aug 22 10:39:28 ddnstest1 dhcpd: DHCPREQUEST for 172.16.100.34
>(172.16.100.5) from 52:54:00:41:5f:23 (client-ubuntu) via eth1
>Aug 22 10:39:28 ddnstest1 dhcpd: DHCPACK on 172.16.100.34 to
>52:54:00:41:5f:23 (client-ubuntu) via eth1
>Aug 22 10:39:28 ddnstest1 dhcpd: Unable to add forward map from
>client-ubuntu.example.com to 172.16.100.34: expected a TSIG or SIG(0)
>
>I have PowerDNS set up to run on port 54 as a hidden master to a BIND
>slave on port 53.  The dhcp server also runs on the same machine.
>
>pdns.conf:
>
>master=yes
>experimental-dnsupdate=yes
>allow-dnsupdate-from=
>local-port=54
>query-local-address=127.0.0.1
>launch=gpgsql
>gpgsql-dnssec=yes
>
>powerdns=# select * from domains;
> id |          name           | master | last_check |  type  |
>notified_serial | account
>----+-------------------------+--------+------------+--------+-----------------+---------
>  1 | example.com             |        |            | MASTER |
>2014082206 |
>
>powerdns=# select * from domainmetadata;
> id | domain_id |         kind         |     content
>----+-----------+----------------------+-----------------
>  1 |         1 | ALLOW-DNSUPDATE-FROM | 172.16.100.0/24
>  3 |         1 | SOA-EDIT-DNSUPDATE   | DEFAULT
>  9 |         1 | ALLOW-DNSUPDATE-FROM | 127.0.0.1/32
> 14 |         1 | TSIG-ALLOW-DNSUPDATE | ddns_update
>
>powerdns=# select * from tsigkeys;
> id |    name     |         algorithm         |          secret
>----+-------------+---------------------------+--------------------------
> 1 | ddns_update | hmac-md5                  | hdD/wdMScNJhp0Dgpm6q8Q==
> 2 | ddns_update | hmac-md5.sig-alg.reg.int. | hdD/wdMScNJhp0Dgpm6q8Q==
>
>(I have tried with only one or the other of the above)
>
>
>named.conf:
>options {
>	directory "/var/cache/bind";
>	dnssec-validation auto;
>	auth-nxdomain no;    # conform to RFC1035
>	listen-on-v6 { any; };
>	allow-recursion { 172.16.100.0/24; };
>};
>key ddns_update {
>	algorithm hmac-md5;
>	secret "hdD/wdMScNJhp0Dgpm6q8Q==";
>};
>zone "example.com" {
>	type slave;
>	file "slaves/example.com.zone";
>	masters port 54 { 127.0.0.1; };
>	allow-query { any; };
>	allow-update-forwarding { any; };
>};
>
>dhcpd.conf:
>authoritative;
>ddns-update-style       interim;
>ddns-updates            on;
>ignore                  client-updates;
>update-static-leases    on;
>
>subnet 172.16.100.0 netmask 255.255.255.0 {
>        range 172.16.100.5 172.16.100.127;
>        option domain-name-servers 172.16.100.5;
>        option subnet-mask 255.255.255.0;
>        option broadcast-address 172.16.100.255;
>        option routers 172.16.100.5;
>        option domain-name "example.com";
>}
>key ddns_update {
>        algorithm hmac-md5;
>        secret "hdD/wdMScNJhp0Dgpm6q8Q==";
>}
>zone example.com. {
>        primary 127.0.0.1;
>        key ddns_update;
>}
>
>If I remove BIND from the equation and have dhcpd talk directly to
>PowerDNS, everything goes fine, so it is something about forwarding
>that
>is not working.
>
>Any suggestions would be appreciated.
>
>Thanks,
>Martin
>
>_______________________________________________
>Pdns-users mailing list
>Pdns-users at mailman.powerdns.com
>http://mailman.powerdns.com/mailman/listinfo/pdns-users

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20140822/9e93a951/attachment-0001.html>

More information about the Pdns-users mailing list