[Pdns-users] 3.4-rc1 with ddns, tsig and bind's allow-update-forwarding

Martin Chandler mchandler at aventer.net
Fri Aug 22 09:05:57 UTC 2014 

Hi Ruben,

Going back over versions, I see I am running BIND 9.9.5 instead of 9.3.
Maybe that's the problem?

dhcpd is 4.2.4.

I will send you the packet capture off-list,
as I am not sure if it is permissable to send attachments to the list...

Thanks,
Martin

(2014年08月22日 17:07), Ruben d'Arco wrote:
> Hi Martin,
>
> I'm running virtually the same config but do not have this issue.
> Would it be possible for you to create a tcpdump/pcap file so i can replay the message on my end?
>
> Just to be sure, the tsigkeys table should have 'hmac-md5' as algoritm.
> Could you also tell us what version of dhcpd you're running?
>
> Regards,
> 	Ruben
>
>
> On Fri, Aug 22, 2014 at 03:03:16PM +0900, Martin Chandler wrote:
>> Hi Ruben,
>>
>>> Could you provide some logging from powerdns?
>>> It should note/show what's it doing on that end...
>>
>> I added the following to pdns.conf:
>> loglevel=9
>> log-dns-details=yes
>> log-dns-queries=yes
>> query-logging=yes
>>
>> and this is all that pdns logs during the dhcp transaction:
>>
>> Aug 22 14:58:50 ddnstest1 pdns[1246]: TCP Remote 127.0.0.1 wants
>> 'example.com|SOA', do = 0, bufsize = 512: packetcache MISS
>> Aug 22 14:58:50 ddnstest1 pdns[1246]: Query: select algorithm,
>> secret from tsigkeys where name=E'ddns_update'
>> Aug 22 14:58:50 ddnstest1 pdns[1246]: Packet for domain
>> 'example.com' denied: TSIG signature mismatch using 'ddns_update'
>> and algorithm 'hmac-md5.sig-alg.reg.int.'
>> Aug 22 14:58:50 ddnstest1 pdns[1246]: Received a TSIG signed message
>> with a non-validating key
>>
>> Thanks,
>> Martin
>>
>>
>>>
>>> Regards,
>>> Ruben
>>>
>>> On 22 August 2014 04:40:57 CEST, Martin Chandler <mchandler at aventer.net>
>>> wrote:
>>>
>>>     Hi,
>>>
>>>     I have been playing with the new dynamic dns feature of authoritative
>>>     server 3.4.0-rc1, and have a question regarding interaction when using
>>>     pdns as a hidden master in conjunction with bind 9.3 with the
>>>     allow-update-forwading setting.
>>>     (please excuse me if this is more of a BIND issue)
>>>
>>>     In short, the TSIG request bind forwards does not seem to work.
>>>
>>>     My log looks like this (server is ubuntu 14.04) when a client (also
>>>     ubuntu 14.04) requests an IP address:
>>>
>>>     Aug 22 10:39:27 ddnstest1 dhcpd: DHCPDISCOVER from 52:54:00:41:5f:23 via
>>>     eth1
>>>     Aug 22 10:39:28 ddnstest1 dhcpd: DHCPOFFER on172.16.100.34  <http://172.16.100.34>  to
>>>     52:54:00:41:5f:23 (client-ubuntu) via eth1
>>>     Aug 22 10:39:28 ddnstest1 named[1422]: client127.0.0.1  <http://127.0.0.1>#2532/key
>>>     ddns_update: signer "ddns_update" approved
>>>     Aug 22 10:39:28 ddnstest1 named[1422]: client127.0.0.1  <http://127.0.0.1>#2532/key
>>>     ddns_update: forwarding update for zone 'example.com/IN  <http://example.com/IN>'
>>>     Aug 22 10:39:28 ddnstest1 pdns[1248]: Packet for domain 'example.com  <http://example.com>'
>>>     denied: TSIG signature mismatch using 'ddns_update' and algorithm
>>>     'hmac-md5.sig-alg.reg.int  <http://hmac-md5.sig-alg.reg.int>.'
>>>     Aug 22 10:39:28 ddnstest1 named[1422]: zoneexample.com/IN  <http://example.com/IN>: forwarded
>>>     dynamic update: master127.0.0.1  <http://127.0.0.1>#54 returned: REFUSED
>>>     Aug 22 10:39:28 ddnstest1 dhcpd: DHCPREQUEST for172.16.100.34  <http://172.16.100.34>
>>>     (172.16.100.5  <http://172.16.100.5>) from 52:54:00:41:5f:23 (client-ubuntu) via eth1
>>>     Aug 22 10:39:28 ddnstest1 dhcpd: DHCPACK on172.16.100.34  <http://172.16.100.34>  to
>>>     52:54:00:41:5f:23 (client-ubuntu) via eth1
>>>     Aug 22 10:39:28 ddnstest1 d
>>>       hcpd:
>>>     Unable to add forward map from
>>>     client-ubuntu.example.com  <http://client-ubuntu.example.com>  to172.16.100.34  <http://172.16.100.34>: expected a TSIG or SIG(0)
>>>
>>>     I have PowerDNS set up to run on port 54 as a hidden master to a BIND
>>>     slave on port 53.  The dhcp server also runs on the same machine.
>>>
>>>     pdns.conf:
>>>
>>>     master=yes
>>>     experimental-dnsupdate=yes
>>>     allow-dnsupdate-from=
>>>     local-port=54
>>>     query-local-address=127.0.0.1  <http://127.0.0.1>
>>>     launch=gpgsql
>>>     gpgsql-dnssec=yes
>>>
>>>     powerdns=# select * from domains;
>>>       id |          name           | master | last_check |  type  |
>>>     notified_serial | account
>>>     ----+-------------------------+--------+------------+--------+-----------------+---------
>>>        1 |example.com  <http://example.com>              |        |            | MASTER |
>>>     2014082206 |
>>>
>>>     powerdns=# select * from domainmetadata;
>>>       id |
>>>     domain_id |         kind         |     content
>>>     ----+-----------+----------------------+-----------------
>>>        1 |         1 | ALLOW-DNSUPDATE-FROM |172.16.100.0/24  <http://172.16.100.0/24>
>>>        3 |         1 | SOA-EDIT-DNSUPDATE   | DEFAULT
>>>        9 |         1 | ALLOW-DNSUPDATE-FROM |127.0.0.1/32  <http://127.0.0.1/32>
>>>       14 |         1 | TSIG-ALLOW-DNSUPDATE | ddns_update
>>>
>>>     powerdns=# select * from tsigkeys;
>>>       id |    name     |         algorithm         |          secret
>>>     ----+-------------+---------------------------+--------------------------
>>>        1 | ddns_update | hmac-md5                  | hdD/wdMScNJhp0Dgpm6q8Q==
>>>        2 | ddns_update |hmac-md5.sig-alg.reg.int  <http://hmac-md5.sig-alg.reg.int>. | hdD/wdMScNJhp0Dgpm6q8Q==
>>>
>>>     (I have tried with only one or the other of the above)
>>>
>>>
>>>     named.conf:
>>>     options {
>>>       directory "/var/cache/bind";
>>>       dnssec-validation auto;
>>>
>>>     auth-nxdomain no;    # conform to RFC1035
>>>       listen-on-v6 { any; };
>>>       allow-recursion {172.16.100.0/24  <http://172.16.100.0/24>; };
>>>     };
>>>     key ddns_update {
>>>       algorithm hmac-md5;
>>>       secret "hdD/wdMScNJhp0Dgpm6q8Q==";
>>>     };
>>>     zone "example.com  <http://example.com>" {
>>>       type slave;
>>>       file "slaves/example.com  <http://example.com>.zone";
>>>       masters port 54 {127.0.0.1  <http://127.0.0.1>; };
>>>       allow-query { any; };
>>>       allow-update-forwarding { any; };
>>>     };
>>>
>>>     dhcpd.conf:
>>>     authoritative;
>>>     ddns-update-style       interim;
>>>     ddns-updates            on;
>>>     ignore                  client-updates;
>>>     update-static-leases    on;
>>>
>>>     subnet172.16.100.0  <http://172.16.100.0>  netmask255.255.255.0  <http://255.255.255.0>  {
>>>              range172.16.100.5  <http://172.16.100.5>  172.16.100.127  <http://172.16.100.127>;
>>>
>>>
>>>     option domain-name-servers172.16.100.5  <http://172.16.100.5>;
>>>              option subnet-mask255.255.255.0  <http://255.255.255.0>;
>>>              option broadcast-address172.16.100.255  <http://172.16.100.255>;
>>>              option routers172.16.100.5  <http://172.16.100.5>;
>>>              option domain-name "example.com  <http://example.com>";
>>>     }
>>>     key ddns_update {
>>>              algorithm hmac-md5;
>>>              secret "hdD/wdMScNJhp0Dgpm6q8Q==";
>>>     }
>>>     zoneexample.com  <http://example.com>. {
>>>              primary127.0.0.1  <http://127.0.0.1>;
>>>              key ddns_update;
>>>     }
>>>
>>>     If I remove BIND from the equation and have dhcpd talk directly to
>>>     PowerDNS, everything goes fine, so it is something about forwarding that
>>>     is not working.
>>>
>>>     Any suggestions would be appreciated.
>>>
>>>     Thanks,
>>>     Martin
>>>
>>>     ------------------------------------------------------------------------
>>>
>>>     Pdns-users mailing list
>>>     Pdns-users at mailman.powerdns.com
>>>     http://mailman.powerdns.com/mailman/listinfo/pdns-users
>>>
>>>
>>> --
>>> Sent from my Android device with K-9 Mail. Please excuse my brevity.

More information about the Pdns-users mailing list