[Pdns-users] 3.4-rc1 with ddns, tsig and bind's allow-update-forwarding
Martin Chandler
mchandler at aventer.net
Fri Aug 22 06:03:16 UTC 2014
Hi Ruben,
> Could you provide some logging from powerdns?
> It should note/show what's it doing on that end...
I added the following to pdns.conf:
loglevel=9
log-dns-details=yes
log-dns-queries=yes
query-logging=yes
and this is all that pdns logs during the dhcp transaction:
Aug 22 14:58:50 ddnstest1 pdns[1246]: TCP Remote 127.0.0.1 wants
'example.com|SOA', do = 0, bufsize = 512: packetcache MISS
Aug 22 14:58:50 ddnstest1 pdns[1246]: Query: select algorithm, secret
from tsigkeys where name=E'ddns_update'
Aug 22 14:58:50 ddnstest1 pdns[1246]: Packet for domain 'example.com'
denied: TSIG signature mismatch using 'ddns_update' and algorithm
'hmac-md5.sig-alg.reg.int.'
Aug 22 14:58:50 ddnstest1 pdns[1246]: Received a TSIG signed message
with a non-validating key
Thanks,
Martin
>
> Regards,
> Ruben
>
> On 22 August 2014 04:40:57 CEST, Martin Chandler <mchandler at aventer.net>
> wrote:
>
> Hi,
>
> I have been playing with the new dynamic dns feature of authoritative
> server 3.4.0-rc1, and have a question regarding interaction when using
> pdns as a hidden master in conjunction with bind 9.3 with the
> allow-update-forwading setting.
> (please excuse me if this is more of a BIND issue)
>
> In short, the TSIG request bind forwards does not seem to work.
>
> My log looks like this (server is ubuntu 14.04) when a client (also
> ubuntu 14.04) requests an IP address:
>
> Aug 22 10:39:27 ddnstest1 dhcpd: DHCPDISCOVER from 52:54:00:41:5f:23 via
> eth1
> Aug 22 10:39:28 ddnstest1 dhcpd: DHCPOFFER on172.16.100.34 <http://172.16.100.34> to
> 52:54:00:41:5f:23 (client-ubuntu) via eth1
> Aug 22 10:39:28 ddnstest1 named[1422]: client127.0.0.1 <http://127.0.0.1>#2532/key
> ddns_update: signer "ddns_update" approved
> Aug 22 10:39:28 ddnstest1 named[1422]: client127.0.0.1 <http://127.0.0.1>#2532/key
> ddns_update: forwarding update for zone 'example.com/IN <http://example.com/IN>'
> Aug 22 10:39:28 ddnstest1 pdns[1248]: Packet for domain 'example.com <http://example.com>'
> denied: TSIG signature mismatch using 'ddns_update' and algorithm
> 'hmac-md5.sig-alg.reg.int <http://hmac-md5.sig-alg.reg.int>.'
> Aug 22 10:39:28 ddnstest1 named[1422]: zoneexample.com/IN <http://example.com/IN>: forwarded
> dynamic update: master127.0.0.1 <http://127.0.0.1>#54 returned: REFUSED
> Aug 22 10:39:28 ddnstest1 dhcpd: DHCPREQUEST for172.16.100.34 <http://172.16.100.34>
> (172.16.100.5 <http://172.16.100.5>) from 52:54:00:41:5f:23 (client-ubuntu) via eth1
> Aug 22 10:39:28 ddnstest1 dhcpd: DHCPACK on172.16.100.34 <http://172.16.100.34> to
> 52:54:00:41:5f:23 (client-ubuntu) via eth1
> Aug 22 10:39:28 ddnstest1 d
> hcpd:
> Unable to add forward map from
> client-ubuntu.example.com <http://client-ubuntu.example.com> to172.16.100.34 <http://172.16.100.34>: expected a TSIG or SIG(0)
>
> I have PowerDNS set up to run on port 54 as a hidden master to a BIND
> slave on port 53. The dhcp server also runs on the same machine.
>
> pdns.conf:
>
> master=yes
> experimental-dnsupdate=yes
> allow-dnsupdate-from=
> local-port=54
> query-local-address=127.0.0.1 <http://127.0.0.1>
> launch=gpgsql
> gpgsql-dnssec=yes
>
> powerdns=# select * from domains;
> id | name | master | last_check | type |
> notified_serial | account
> ----+-------------------------+--------+------------+--------+-----------------+---------
> 1 |example.com <http://example.com> | | | MASTER |
> 2014082206 |
>
> powerdns=# select * from domainmetadata;
> id |
> domain_id | kind | content
> ----+-----------+----------------------+-----------------
> 1 | 1 | ALLOW-DNSUPDATE-FROM |172.16.100.0/24 <http://172.16.100.0/24>
> 3 | 1 | SOA-EDIT-DNSUPDATE | DEFAULT
> 9 | 1 | ALLOW-DNSUPDATE-FROM |127.0.0.1/32 <http://127.0.0.1/32>
> 14 | 1 | TSIG-ALLOW-DNSUPDATE | ddns_update
>
> powerdns=# select * from tsigkeys;
> id | name | algorithm | secret
> ----+-------------+---------------------------+--------------------------
> 1 | ddns_update | hmac-md5 | hdD/wdMScNJhp0Dgpm6q8Q==
> 2 | ddns_update |hmac-md5.sig-alg.reg.int <http://hmac-md5.sig-alg.reg.int>. | hdD/wdMScNJhp0Dgpm6q8Q==
>
> (I have tried with only one or the other of the above)
>
>
> named.conf:
> options {
> directory "/var/cache/bind";
> dnssec-validation auto;
>
> auth-nxdomain no; # conform to RFC1035
> listen-on-v6 { any; };
> allow-recursion {172.16.100.0/24 <http://172.16.100.0/24>; };
> };
> key ddns_update {
> algorithm hmac-md5;
> secret "hdD/wdMScNJhp0Dgpm6q8Q==";
> };
> zone "example.com <http://example.com>" {
> type slave;
> file "slaves/example.com <http://example.com>.zone";
> masters port 54 {127.0.0.1 <http://127.0.0.1>; };
> allow-query { any; };
> allow-update-forwarding { any; };
> };
>
> dhcpd.conf:
> authoritative;
> ddns-update-style interim;
> ddns-updates on;
> ignore client-updates;
> update-static-leases on;
>
> subnet172.16.100.0 <http://172.16.100.0> netmask255.255.255.0 <http://255.255.255.0> {
> range172.16.100.5 <http://172.16.100.5> 172.16.100.127 <http://172.16.100.127>;
>
>
> option domain-name-servers172.16.100.5 <http://172.16.100.5>;
> option subnet-mask255.255.255.0 <http://255.255.255.0>;
> option broadcast-address172.16.100.255 <http://172.16.100.255>;
> option routers172.16.100.5 <http://172.16.100.5>;
> option domain-name "example.com <http://example.com>";
> }
> key ddns_update {
> algorithm hmac-md5;
> secret "hdD/wdMScNJhp0Dgpm6q8Q==";
> }
> zoneexample.com <http://example.com>. {
> primary127.0.0.1 <http://127.0.0.1>;
> key ddns_update;
> }
>
> If I remove BIND from the equation and have dhcpd talk directly to
> PowerDNS, everything goes fine, so it is something about forwarding that
> is not working.
>
> Any suggestions would be appreciated.
>
> Thanks,
> Martin
>
> ------------------------------------------------------------------------
>
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
More information about the Pdns-users
mailing list