[Pdns-users] 3.4-rc1 with ddns, tsig and bind's allow-update-forwarding

Martin Chandler mchandler at aventer.net
Fri Aug 22 06:03:16 UTC 2014


Hi Ruben,

> Could you provide some logging from powerdns?
> It should note/show what's it doing on that end...

I added the following to pdns.conf:
loglevel=9
log-dns-details=yes
log-dns-queries=yes
query-logging=yes

and this is all that pdns logs during the dhcp transaction:

Aug 22 14:58:50 ddnstest1 pdns[1246]: TCP Remote 127.0.0.1 wants 
'example.com|SOA', do = 0, bufsize = 512: packetcache MISS
Aug 22 14:58:50 ddnstest1 pdns[1246]: Query: select algorithm, secret 
from tsigkeys where name=E'ddns_update'
Aug 22 14:58:50 ddnstest1 pdns[1246]: Packet for domain 'example.com' 
denied: TSIG signature mismatch using 'ddns_update' and algorithm 
'hmac-md5.sig-alg.reg.int.'
Aug 22 14:58:50 ddnstest1 pdns[1246]: Received a TSIG signed message 
with a non-validating key

Thanks,
Martin


>
> Regards,
> Ruben
>
> On 22 August 2014 04:40:57 CEST, Martin Chandler <mchandler at aventer.net>
> wrote:
>
>     Hi,
>
>     I have been playing with the new dynamic dns feature of authoritative
>     server 3.4.0-rc1, and have a question regarding interaction when using
>     pdns as a hidden master in conjunction with bind 9.3 with the
>     allow-update-forwading setting.
>     (please excuse me if this is more of a BIND issue)
>
>     In short, the TSIG request bind forwards does not seem to work.
>
>     My log looks like this (server is ubuntu 14.04) when a client (also
>     ubuntu 14.04) requests an IP address:
>
>     Aug 22 10:39:27 ddnstest1 dhcpd: DHCPDISCOVER from 52:54:00:41:5f:23 via
>     eth1
>     Aug 22 10:39:28 ddnstest1 dhcpd: DHCPOFFER on172.16.100.34  <http://172.16.100.34>  to
>     52:54:00:41:5f:23 (client-ubuntu) via eth1
>     Aug 22 10:39:28 ddnstest1 named[1422]: client127.0.0.1  <http://127.0.0.1>#2532/key
>     ddns_update: signer "ddns_update" approved
>     Aug 22 10:39:28 ddnstest1 named[1422]: client127.0.0.1  <http://127.0.0.1>#2532/key
>     ddns_update: forwarding update for zone 'example.com/IN  <http://example.com/IN>'
>     Aug 22 10:39:28 ddnstest1 pdns[1248]: Packet for domain 'example.com  <http://example.com>'
>     denied: TSIG signature mismatch using 'ddns_update' and algorithm
>     'hmac-md5.sig-alg.reg.int  <http://hmac-md5.sig-alg.reg.int>.'
>     Aug 22 10:39:28 ddnstest1 named[1422]: zoneexample.com/IN  <http://example.com/IN>: forwarded
>     dynamic update: master127.0.0.1  <http://127.0.0.1>#54 returned: REFUSED
>     Aug 22 10:39:28 ddnstest1 dhcpd: DHCPREQUEST for172.16.100.34  <http://172.16.100.34>
>     (172.16.100.5  <http://172.16.100.5>) from 52:54:00:41:5f:23 (client-ubuntu) via eth1
>     Aug 22 10:39:28 ddnstest1 dhcpd: DHCPACK on172.16.100.34  <http://172.16.100.34>  to
>     52:54:00:41:5f:23 (client-ubuntu) via eth1
>     Aug 22 10:39:28 ddnstest1 d
>       hcpd:
>     Unable to add forward map from
>     client-ubuntu.example.com  <http://client-ubuntu.example.com>  to172.16.100.34  <http://172.16.100.34>: expected a TSIG or SIG(0)
>
>     I have PowerDNS set up to run on port 54 as a hidden master to a BIND
>     slave on port 53.  The dhcp server also runs on the same machine.
>
>     pdns.conf:
>
>     master=yes
>     experimental-dnsupdate=yes
>     allow-dnsupdate-from=
>     local-port=54
>     query-local-address=127.0.0.1  <http://127.0.0.1>
>     launch=gpgsql
>     gpgsql-dnssec=yes
>
>     powerdns=# select * from domains;
>       id |          name           | master | last_check |  type  |
>     notified_serial | account
>     ----+-------------------------+--------+------------+--------+-----------------+---------
>        1 |example.com  <http://example.com>              |        |            | MASTER |
>     2014082206 |
>
>     powerdns=# select * from domainmetadata;
>       id |
>     domain_id |         kind         |     content
>     ----+-----------+----------------------+-----------------
>        1 |         1 | ALLOW-DNSUPDATE-FROM |172.16.100.0/24  <http://172.16.100.0/24>
>        3 |         1 | SOA-EDIT-DNSUPDATE   | DEFAULT
>        9 |         1 | ALLOW-DNSUPDATE-FROM |127.0.0.1/32  <http://127.0.0.1/32>
>       14 |         1 | TSIG-ALLOW-DNSUPDATE | ddns_update
>
>     powerdns=# select * from tsigkeys;
>       id |    name     |         algorithm         |          secret
>     ----+-------------+---------------------------+--------------------------
>        1 | ddns_update | hmac-md5                  | hdD/wdMScNJhp0Dgpm6q8Q==
>        2 | ddns_update |hmac-md5.sig-alg.reg.int  <http://hmac-md5.sig-alg.reg.int>. | hdD/wdMScNJhp0Dgpm6q8Q==
>
>     (I have tried with only one or the other of the above)
>
>
>     named.conf:
>     options {
>       directory "/var/cache/bind";
>       dnssec-validation auto;
>
>     auth-nxdomain no;    # conform to RFC1035
>       listen-on-v6 { any; };
>       allow-recursion {172.16.100.0/24  <http://172.16.100.0/24>; };
>     };
>     key ddns_update {
>       algorithm hmac-md5;
>       secret "hdD/wdMScNJhp0Dgpm6q8Q==";
>     };
>     zone "example.com  <http://example.com>" {
>       type slave;
>       file "slaves/example.com  <http://example.com>.zone";
>       masters port 54 {127.0.0.1  <http://127.0.0.1>; };
>       allow-query { any; };
>       allow-update-forwarding { any; };
>     };
>
>     dhcpd.conf:
>     authoritative;
>     ddns-update-style       interim;
>     ddns-updates            on;
>     ignore                  client-updates;
>     update-static-leases    on;
>
>     subnet172.16.100.0  <http://172.16.100.0>  netmask255.255.255.0  <http://255.255.255.0>  {
>              range172.16.100.5  <http://172.16.100.5>  172.16.100.127  <http://172.16.100.127>;
>
>
>     option domain-name-servers172.16.100.5  <http://172.16.100.5>;
>              option subnet-mask255.255.255.0  <http://255.255.255.0>;
>              option broadcast-address172.16.100.255  <http://172.16.100.255>;
>              option routers172.16.100.5  <http://172.16.100.5>;
>              option domain-name "example.com  <http://example.com>";
>     }
>     key ddns_update {
>              algorithm hmac-md5;
>              secret "hdD/wdMScNJhp0Dgpm6q8Q==";
>     }
>     zoneexample.com  <http://example.com>. {
>              primary127.0.0.1  <http://127.0.0.1>;
>              key ddns_update;
>     }
>
>     If I remove BIND from the equation and have dhcpd talk directly to
>     PowerDNS, everything goes fine, so it is something about forwarding that
>     is not working.
>
>     Any suggestions would be appreciated.
>
>     Thanks,
>     Martin
>
>     ------------------------------------------------------------------------
>
>     Pdns-users mailing list
>     Pdns-users at mailman.powerdns.com
>     http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.




More information about the Pdns-users mailing list