[Pdns-users] 3.4-rc1 with ddns, tsig and bind's allow-update-forwarding
Martin Chandler
mchandler at aventer.net
Sun Aug 24 01:54:47 UTC 2014
Hi Ruben,
> I've tried to reproduce your issue on my end, but failed.
> Could you try running the following:
>
> $ nsupdate <<!
> server 127.0.0.1 53
> zone example.com
> prereq nxdomain client-ubuntu.example.com
> update add client-ubuntu.example.com 300 A 172.16.100.34
> update add client-ubuntu.example.com 300 TXT "00bc035b76ccfec55f7d52a28a35c10053"
> key ddns_update hdD/wdMScNJhp0Dgpm6q8Q==
> send
> answer
> !
>
>
> This should result in exactly the same update as your dhcpd is sending. Can you check how pdns responds to that?
The result of the above command is, unfortunately:
; TSIG error with server: expected a TSIG or SIG(0)
update failed: REFUSED
Answer:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 7453
;; flags: qr aa; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;example.com. IN SOA
pdns logs are as follows:
Aug 24 10:15:41 ddnstest1 pdns[1275]: TCP Remote 127.0.0.1 wants
'example.com|SOA', do = 0, bufsize = 512: packetcache MISS
Aug 24 10:15:41 ddnstest1 pdns[1275]: Query: select algorithm, secret
from tsigkeys where name=E'ddns_update'
Aug 24 10:15:41 ddnstest1 pdns[1275]: Packet for domain 'example.com'
denied: TSIG signature mismatch using 'ddns_update' and algorithm
'hmac-md5.sig-alg.reg.int.'
Aug 24 10:15:41 ddnstest1 pdns[1275]: Received a TSIG signed message
with a non-validating key
btw, if I send to port 54 (i.e direct to PDNS) instead, I get the
expected successful result:
Answer:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 48673
;; flags: qr aa; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;example.com. IN SOA
;; TSIG PSEUDOSECTION:
ddns_update. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1408843148 300 16
SDNHs1KVTDSRfC5GLUYCrA== 48673 NOERROR 0
I really appreciate your help
Thanks,
Martin
>
> On Fri, Aug 22, 2014 at 11:31:12AM +0200, Ruben d'Arco wrote:
>> Hi Martin,
>>
>> To me, this seems nothing to do with bind. PDNS checks the TSIG on the package and can't verify it correctly. It then drops is and nothing happens.
>> I'm running dhcpd 4.2.5, i thought that can be the issue, but the pcap will verify.
>>
>> I'll get back to you later!
>>
>> Regards,
>> Ruben
>>
>>
>> On Fri, Aug 22, 2014 at 06:05:57PM +0900, Martin Chandler wrote:
>>> Hi Ruben,
>>>
>>> Going back over versions, I see I am running BIND 9.9.5 instead of 9.3.
>>> Maybe that's the problem?
>>>
>>> dhcpd is 4.2.4.
>>>
>>> I will send you the packet capture off-list,
>>> as I am not sure if it is permissable to send attachments to the list...
>>>
>>> Thanks,
>>> Martin
>>>
>>> (2014年08月22日 17:07), Ruben d'Arco wrote:
>>>> Hi Martin,
>>>>
>>>> I'm running virtually the same config but do not have this issue.
>>>> Would it be possible for you to create a tcpdump/pcap file so i can replay the message on my end?
>>>>
>>>> Just to be sure, the tsigkeys table should have 'hmac-md5' as algoritm.
>>>> Could you also tell us what version of dhcpd you're running?
>>>>
>>>> Regards,
>>>> Ruben
>>>>
>>>>
>>>> On Fri, Aug 22, 2014 at 03:03:16PM +0900, Martin Chandler wrote:
>>>>> Hi Ruben,
>>>>>
>>>>>> Could you provide some logging from powerdns?
>>>>>> It should note/show what's it doing on that end...
>>>>>
>>>>> I added the following to pdns.conf:
>>>>> loglevel=9
>>>>> log-dns-details=yes
>>>>> log-dns-queries=yes
>>>>> query-logging=yes
>>>>>
>>>>> and this is all that pdns logs during the dhcp transaction:
>>>>>
>>>>> Aug 22 14:58:50 ddnstest1 pdns[1246]: TCP Remote 127.0.0.1 wants
>>>>> 'example.com|SOA', do = 0, bufsize = 512: packetcache MISS
>>>>> Aug 22 14:58:50 ddnstest1 pdns[1246]: Query: select algorithm,
>>>>> secret from tsigkeys where name=E'ddns_update'
>>>>> Aug 22 14:58:50 ddnstest1 pdns[1246]: Packet for domain
>>>>> 'example.com' denied: TSIG signature mismatch using 'ddns_update'
>>>>> and algorithm 'hmac-md5.sig-alg.reg.int.'
>>>>> Aug 22 14:58:50 ddnstest1 pdns[1246]: Received a TSIG signed message
>>>>> with a non-validating key
>>>>>
>>>>> Thanks,
>>>>> Martin
>>>>>
>>>>>
>>>>>>
>>>>>> Regards,
>>>>>> Ruben
>>>>>>
>>>>>> On 22 August 2014 04:40:57 CEST, Martin Chandler <mchandler at aventer.net>
>>>>>> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I have been playing with the new dynamic dns feature of authoritative
>>>>>> server 3.4.0-rc1, and have a question regarding interaction when using
>>>>>> pdns as a hidden master in conjunction with bind 9.3 with the
>>>>>> allow-update-forwading setting.
>>>>>> (please excuse me if this is more of a BIND issue)
>>>>>>
>>>>>> In short, the TSIG request bind forwards does not seem to work.
>>>>>>
>>>>>> My log looks like this (server is ubuntu 14.04) when a client (also
>>>>>> ubuntu 14.04) requests an IP address:
>>>>>>
>>>>>> Aug 22 10:39:27 ddnstest1 dhcpd: DHCPDISCOVER from 52:54:00:41:5f:23 via
>>>>>> eth1
>>>>>> Aug 22 10:39:28 ddnstest1 dhcpd: DHCPOFFER on172.16.100.34 <http://172.16.100.34> to
>>>>>> 52:54:00:41:5f:23 (client-ubuntu) via eth1
>>>>>> Aug 22 10:39:28 ddnstest1 named[1422]: client127.0.0.1 <http://127.0.0.1>#2532/key
>>>>>> ddns_update: signer "ddns_update" approved
>>>>>> Aug 22 10:39:28 ddnstest1 named[1422]: client127.0.0.1 <http://127.0.0.1>#2532/key
>>>>>> ddns_update: forwarding update for zone 'example.com/IN <http://example.com/IN>'
>>>>>> Aug 22 10:39:28 ddnstest1 pdns[1248]: Packet for domain 'example.com <http://example.com>'
>>>>>> denied: TSIG signature mismatch using 'ddns_update' and algorithm
>>>>>> 'hmac-md5.sig-alg.reg.int <http://hmac-md5.sig-alg.reg.int>.'
>>>>>> Aug 22 10:39:28 ddnstest1 named[1422]: zoneexample.com/IN <http://example.com/IN>: forwarded
>>>>>> dynamic update: master127.0.0.1 <http://127.0.0.1>#54 returned: REFUSED
>>>>>> Aug 22 10:39:28 ddnstest1 dhcpd: DHCPREQUEST for172.16.100.34 <http://172.16.100.34>
>>>>>> (172.16.100.5 <http://172.16.100.5>) from 52:54:00:41:5f:23 (client-ubuntu) via eth1
>>>>>> Aug 22 10:39:28 ddnstest1 dhcpd: DHCPACK on172.16.100.34 <http://172.16.100.34> to
>>>>>> 52:54:00:41:5f:23 (client-ubuntu) via eth1
>>>>>> Aug 22 10:39:28 ddnstest1 d
>>>>>> hcpd:
>>>>>> Unable to add forward map from
>>>>>> client-ubuntu.example.com <http://client-ubuntu.example.com> to172.16.100.34 <http://172.16.100.34>: expected a TSIG or SIG(0)
>>>>>>
>>>>>> I have PowerDNS set up to run on port 54 as a hidden master to a BIND
>>>>>> slave on port 53. The dhcp server also runs on the same machine.
>>>>>>
>>>>>> pdns.conf:
>>>>>>
>>>>>> master=yes
>>>>>> experimental-dnsupdate=yes
>>>>>> allow-dnsupdate-from=
>>>>>> local-port=54
>>>>>> query-local-address=127.0.0.1 <http://127.0.0.1>
>>>>>> launch=gpgsql
>>>>>> gpgsql-dnssec=yes
>>>>>>
>>>>>> powerdns=# select * from domains;
>>>>>> id | name | master | last_check | type |
>>>>>> notified_serial | account
>>>>>> ----+-------------------------+--------+------------+--------+-----------------+---------
>>>>>> 1 |example.com <http://example.com> | | | MASTER |
>>>>>> 2014082206 |
>>>>>>
>>>>>> powerdns=# select * from domainmetadata;
>>>>>> id |
>>>>>> domain_id | kind | content
>>>>>> ----+-----------+----------------------+-----------------
>>>>>> 1 | 1 | ALLOW-DNSUPDATE-FROM |172.16.100.0/24 <http://172.16.100.0/24>
>>>>>> 3 | 1 | SOA-EDIT-DNSUPDATE | DEFAULT
>>>>>> 9 | 1 | ALLOW-DNSUPDATE-FROM |127.0.0.1/32 <http://127.0.0.1/32>
>>>>>> 14 | 1 | TSIG-ALLOW-DNSUPDATE | ddns_update
>>>>>>
>>>>>> powerdns=# select * from tsigkeys;
>>>>>> id | name | algorithm | secret
>>>>>> ----+-------------+---------------------------+--------------------------
>>>>>> 1 | ddns_update | hmac-md5 | hdD/wdMScNJhp0Dgpm6q8Q==
>>>>>> 2 | ddns_update |hmac-md5.sig-alg.reg.int <http://hmac-md5.sig-alg.reg.int>. | hdD/wdMScNJhp0Dgpm6q8Q==
>>>>>>
>>>>>> (I have tried with only one or the other of the above)
>>>>>>
>>>>>>
>>>>>> named.conf:
>>>>>> options {
>>>>>> directory "/var/cache/bind";
>>>>>> dnssec-validation auto;
>>>>>>
>>>>>> auth-nxdomain no; # conform to RFC1035
>>>>>> listen-on-v6 { any; };
>>>>>> allow-recursion {172.16.100.0/24 <http://172.16.100.0/24>; };
>>>>>> };
>>>>>> key ddns_update {
>>>>>> algorithm hmac-md5;
>>>>>> secret "hdD/wdMScNJhp0Dgpm6q8Q==";
>>>>>> };
>>>>>> zone "example.com <http://example.com>" {
>>>>>> type slave;
>>>>>> file "slaves/example.com <http://example.com>.zone";
>>>>>> masters port 54 {127.0.0.1 <http://127.0.0.1>; };
>>>>>> allow-query { any; };
>>>>>> allow-update-forwarding { any; };
>>>>>> };
>>>>>>
>>>>>> dhcpd.conf:
>>>>>> authoritative;
>>>>>> ddns-update-style interim;
>>>>>> ddns-updates on;
>>>>>> ignore client-updates;
>>>>>> update-static-leases on;
>>>>>>
>>>>>> subnet172.16.100.0 <http://172.16.100.0> netmask255.255.255.0 <http://255.255.255.0> {
>>>>>> range172.16.100.5 <http://172.16.100.5> 172.16.100.127 <http://172.16.100.127>;
>>>>>>
>>>>>>
>>>>>> option domain-name-servers172.16.100.5 <http://172.16.100.5>;
>>>>>> option subnet-mask255.255.255.0 <http://255.255.255.0>;
>>>>>> option broadcast-address172.16.100.255 <http://172.16.100.255>;
>>>>>> option routers172.16.100.5 <http://172.16.100.5>;
>>>>>> option domain-name "example.com <http://example.com>";
>>>>>> }
>>>>>> key ddns_update {
>>>>>> algorithm hmac-md5;
>>>>>> secret "hdD/wdMScNJhp0Dgpm6q8Q==";
>>>>>> }
>>>>>> zoneexample.com <http://example.com>. {
>>>>>> primary127.0.0.1 <http://127.0.0.1>;
>>>>>> key ddns_update;
>>>>>> }
>>>>>>
>>>>>> If I remove BIND from the equation and have dhcpd talk directly to
>>>>>> PowerDNS, everything goes fine, so it is something about forwarding that
>>>>>> is not working.
>>>>>>
>>>>>> Any suggestions would be appreciated.
>>>>>>
>>>>>> Thanks,
>>>>>> Martin
>>>>>>
>>>>>> ------------------------------------------------------------------------
>>>>>>
>>>>>> Pdns-users mailing list
>>>>>> Pdns-users at mailman.powerdns.com
>>>>>> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>
>> _______________________________________________
>> Pdns-users mailing list
>> Pdns-users at mailman.powerdns.com
>> http://mailman.powerdns.com/mailman/listinfo/pdns-users
More information about the Pdns-users
mailing list