[Pdns-users] 3.4-rc1 with ddns, tsig and bind's allow-update-forwarding

Ruben d'Arco cyclops at prof-x.net
Sat Aug 23 12:21:31 UTC 2014


Hi,

I've tried to reproduce your issue on my end, but failed.
Could you try running the following:

$ nsupdate <<!
server 127.0.0.1 53
zone example.com
prereq nxdomain client-ubuntu.example.com
update add client-ubuntu.example.com 300 A 172.16.100.34
update add client-ubuntu.example.com 300 TXT "00bc035b76ccfec55f7d52a28a35c10053"
key ddns_update hdD/wdMScNJhp0Dgpm6q8Q==
send
answer
!


This should result in exactly the same update as your dhcpd is sending. Can you check how pdns responds to that?

Kind regards,
	Ruben



On Fri, Aug 22, 2014 at 11:31:12AM +0200, Ruben d'Arco wrote:
> Hi Martin,
> 
> To me, this seems nothing to do with bind. PDNS checks the TSIG on the package and can't verify it correctly. It then drops is and nothing happens.
> I'm running dhcpd 4.2.5, i thought that can be the issue, but the pcap will verify.
> 
> I'll get back to you later!
> 
> Regards,
> 	Ruben
> 
> 
> On Fri, Aug 22, 2014 at 06:05:57PM +0900, Martin Chandler wrote:
> > Hi Ruben,
> > 
> > Going back over versions, I see I am running BIND 9.9.5 instead of 9.3.
> > Maybe that's the problem?
> > 
> > dhcpd is 4.2.4.
> > 
> > I will send you the packet capture off-list,
> > as I am not sure if it is permissable to send attachments to the list...
> > 
> > Thanks,
> > Martin
> > 
> > (2014幎08月22日 17:07), Ruben d'Arco wrote:
> > >Hi Martin,
> > >
> > >I'm running virtually the same config but do not have this issue.
> > >Would it be possible for you to create a tcpdump/pcap file so i can replay the message on my end?
> > >
> > >Just to be sure, the tsigkeys table should have 'hmac-md5' as algoritm.
> > >Could you also tell us what version of dhcpd you're running?
> > >
> > >Regards,
> > >	Ruben
> > >
> > >
> > >On Fri, Aug 22, 2014 at 03:03:16PM +0900, Martin Chandler wrote:
> > >>Hi Ruben,
> > >>
> > >>>Could you provide some logging from powerdns?
> > >>>It should note/show what's it doing on that end...
> > >>
> > >>I added the following to pdns.conf:
> > >>loglevel=9
> > >>log-dns-details=yes
> > >>log-dns-queries=yes
> > >>query-logging=yes
> > >>
> > >>and this is all that pdns logs during the dhcp transaction:
> > >>
> > >>Aug 22 14:58:50 ddnstest1 pdns[1246]: TCP Remote 127.0.0.1 wants
> > >>'example.com|SOA', do = 0, bufsize = 512: packetcache MISS
> > >>Aug 22 14:58:50 ddnstest1 pdns[1246]: Query: select algorithm,
> > >>secret from tsigkeys where name=E'ddns_update'
> > >>Aug 22 14:58:50 ddnstest1 pdns[1246]: Packet for domain
> > >>'example.com' denied: TSIG signature mismatch using 'ddns_update'
> > >>and algorithm 'hmac-md5.sig-alg.reg.int.'
> > >>Aug 22 14:58:50 ddnstest1 pdns[1246]: Received a TSIG signed message
> > >>with a non-validating key
> > >>
> > >>Thanks,
> > >>Martin
> > >>
> > >>
> > >>>
> > >>>Regards,
> > >>>Ruben
> > >>>
> > >>>On 22 August 2014 04:40:57 CEST, Martin Chandler <mchandler at aventer.net>
> > >>>wrote:
> > >>>
> > >>>    Hi,
> > >>>
> > >>>    I have been playing with the new dynamic dns feature of authoritative
> > >>>    server 3.4.0-rc1, and have a question regarding interaction when using
> > >>>    pdns as a hidden master in conjunction with bind 9.3 with the
> > >>>    allow-update-forwading setting.
> > >>>    (please excuse me if this is more of a BIND issue)
> > >>>
> > >>>    In short, the TSIG request bind forwards does not seem to work.
> > >>>
> > >>>    My log looks like this (server is ubuntu 14.04) when a client (also
> > >>>    ubuntu 14.04) requests an IP address:
> > >>>
> > >>>    Aug 22 10:39:27 ddnstest1 dhcpd: DHCPDISCOVER from 52:54:00:41:5f:23 via
> > >>>    eth1
> > >>>    Aug 22 10:39:28 ddnstest1 dhcpd: DHCPOFFER on172.16.100.34  <http://172.16.100.34>  to
> > >>>    52:54:00:41:5f:23 (client-ubuntu) via eth1
> > >>>    Aug 22 10:39:28 ddnstest1 named[1422]: client127.0.0.1  <http://127.0.0.1>#2532/key
> > >>>    ddns_update: signer "ddns_update" approved
> > >>>    Aug 22 10:39:28 ddnstest1 named[1422]: client127.0.0.1  <http://127.0.0.1>#2532/key
> > >>>    ddns_update: forwarding update for zone 'example.com/IN  <http://example.com/IN>'
> > >>>    Aug 22 10:39:28 ddnstest1 pdns[1248]: Packet for domain 'example.com  <http://example.com>'
> > >>>    denied: TSIG signature mismatch using 'ddns_update' and algorithm
> > >>>    'hmac-md5.sig-alg.reg.int  <http://hmac-md5.sig-alg.reg.int>.'
> > >>>    Aug 22 10:39:28 ddnstest1 named[1422]: zoneexample.com/IN  <http://example.com/IN>: forwarded
> > >>>    dynamic update: master127.0.0.1  <http://127.0.0.1>#54 returned: REFUSED
> > >>>    Aug 22 10:39:28 ddnstest1 dhcpd: DHCPREQUEST for172.16.100.34  <http://172.16.100.34>
> > >>>    (172.16.100.5  <http://172.16.100.5>) from 52:54:00:41:5f:23 (client-ubuntu) via eth1
> > >>>    Aug 22 10:39:28 ddnstest1 dhcpd: DHCPACK on172.16.100.34  <http://172.16.100.34>  to
> > >>>    52:54:00:41:5f:23 (client-ubuntu) via eth1
> > >>>    Aug 22 10:39:28 ddnstest1 d
> > >>>      hcpd:
> > >>>    Unable to add forward map from
> > >>>    client-ubuntu.example.com  <http://client-ubuntu.example.com>  to172.16.100.34  <http://172.16.100.34>: expected a TSIG or SIG(0)
> > >>>
> > >>>    I have PowerDNS set up to run on port 54 as a hidden master to a BIND
> > >>>    slave on port 53.  The dhcp server also runs on the same machine.
> > >>>
> > >>>    pdns.conf:
> > >>>
> > >>>    master=yes
> > >>>    experimental-dnsupdate=yes
> > >>>    allow-dnsupdate-from=
> > >>>    local-port=54
> > >>>    query-local-address=127.0.0.1  <http://127.0.0.1>
> > >>>    launch=gpgsql
> > >>>    gpgsql-dnssec=yes
> > >>>
> > >>>    powerdns=# select * from domains;
> > >>>      id |          name           | master | last_check |  type  |
> > >>>    notified_serial | account
> > >>>    ----+-------------------------+--------+------------+--------+-----------------+---------
> > >>>       1 |example.com  <http://example.com>              |        |            | MASTER |
> > >>>    2014082206 |
> > >>>
> > >>>    powerdns=# select * from domainmetadata;
> > >>>      id |
> > >>>    domain_id |         kind         |     content
> > >>>    ----+-----------+----------------------+-----------------
> > >>>       1 |         1 | ALLOW-DNSUPDATE-FROM |172.16.100.0/24  <http://172.16.100.0/24>
> > >>>       3 |         1 | SOA-EDIT-DNSUPDATE   | DEFAULT
> > >>>       9 |         1 | ALLOW-DNSUPDATE-FROM |127.0.0.1/32  <http://127.0.0.1/32>
> > >>>      14 |         1 | TSIG-ALLOW-DNSUPDATE | ddns_update
> > >>>
> > >>>    powerdns=# select * from tsigkeys;
> > >>>      id |    name     |         algorithm         |          secret
> > >>>    ----+-------------+---------------------------+--------------------------
> > >>>       1 | ddns_update | hmac-md5                  | hdD/wdMScNJhp0Dgpm6q8Q==
> > >>>       2 | ddns_update |hmac-md5.sig-alg.reg.int  <http://hmac-md5.sig-alg.reg.int>. | hdD/wdMScNJhp0Dgpm6q8Q==
> > >>>
> > >>>    (I have tried with only one or the other of the above)
> > >>>
> > >>>
> > >>>    named.conf:
> > >>>    options {
> > >>>      directory "/var/cache/bind";
> > >>>      dnssec-validation auto;
> > >>>
> > >>>    auth-nxdomain no;    # conform to RFC1035
> > >>>      listen-on-v6 { any; };
> > >>>      allow-recursion {172.16.100.0/24  <http://172.16.100.0/24>; };
> > >>>    };
> > >>>    key ddns_update {
> > >>>      algorithm hmac-md5;
> > >>>      secret "hdD/wdMScNJhp0Dgpm6q8Q==";
> > >>>    };
> > >>>    zone "example.com  <http://example.com>" {
> > >>>      type slave;
> > >>>      file "slaves/example.com  <http://example.com>.zone";
> > >>>      masters port 54 {127.0.0.1  <http://127.0.0.1>; };
> > >>>      allow-query { any; };
> > >>>      allow-update-forwarding { any; };
> > >>>    };
> > >>>
> > >>>    dhcpd.conf:
> > >>>    authoritative;
> > >>>    ddns-update-style       interim;
> > >>>    ddns-updates            on;
> > >>>    ignore                  client-updates;
> > >>>    update-static-leases    on;
> > >>>
> > >>>    subnet172.16.100.0  <http://172.16.100.0>  netmask255.255.255.0  <http://255.255.255.0>  {
> > >>>             range172.16.100.5  <http://172.16.100.5>  172.16.100.127  <http://172.16.100.127>;
> > >>>
> > >>>
> > >>>    option domain-name-servers172.16.100.5  <http://172.16.100.5>;
> > >>>             option subnet-mask255.255.255.0  <http://255.255.255.0>;
> > >>>             option broadcast-address172.16.100.255  <http://172.16.100.255>;
> > >>>             option routers172.16.100.5  <http://172.16.100.5>;
> > >>>             option domain-name "example.com  <http://example.com>";
> > >>>    }
> > >>>    key ddns_update {
> > >>>             algorithm hmac-md5;
> > >>>             secret "hdD/wdMScNJhp0Dgpm6q8Q==";
> > >>>    }
> > >>>    zoneexample.com  <http://example.com>. {
> > >>>             primary127.0.0.1  <http://127.0.0.1>;
> > >>>             key ddns_update;
> > >>>    }
> > >>>
> > >>>    If I remove BIND from the equation and have dhcpd talk directly to
> > >>>    PowerDNS, everything goes fine, so it is something about forwarding that
> > >>>    is not working.
> > >>>
> > >>>    Any suggestions would be appreciated.
> > >>>
> > >>>    Thanks,
> > >>>    Martin
> > >>>
> > >>>    ------------------------------------------------------------------------
> > >>>
> > >>>    Pdns-users mailing list
> > >>>    Pdns-users at mailman.powerdns.com
> > >>>    http://mailman.powerdns.com/mailman/listinfo/pdns-users
> > >>>
> > >>>
> > >>>--
> > >>>Sent from my Android device with K-9 Mail. Please excuse my brevity.
> 
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users




More information about the Pdns-users mailing list