[Pdns-users] 3.4-rc1 with ddns, tsig and bind's allow-update-forwarding

ciphernix ciphernix at gmail.com
Mon Nov 16 19:40:11 UTC 2015 

Hi, was this ever resolved ? I'm having the same issue with pdns-3.4.7
compiled under RHEL 6 with a MYSQL backend. I get a 'TSIG error with server:
tsig verify failure' error when BIND forwards updates to powerDNS.

The PDNS server is configured as a hidden master and listening on port 5353. 
select * from domains where id=8;
+----+---------------------+--------+------------+--------+-----------------+---------+
| id | name                | master | last_check | type   | notified_serial
| account |
+----+---------------------+--------+------------+--------+-----------------+---------+
|  8 | dyntest.example.com | NULL   |       NULL | MASTER |      2015111209
| NULL    |
+----+---------------------+--------+------------+--------+-----------------+---------+

 select * from domainmetadata where domain_id=8;
+----+-----------+----------------------+---------------------+
| id | domain_id | kind                 | content             |
+----+-----------+----------------------+---------------------+
| 16 |         8 | ALLOW-DNSUPDATE-FROM | 0.0.0.0/0           |
| 18 |         8 | SOA-EDIT-API         | INCEPTION-INCREMENT |
| 20 |         8 | TSIG-ALLOW-DNSUPDATE | test                |
+----+-----------+----------------------+---------------------+


select * from tsigkeys where name = 'test';
+----+------+-----------+----------------------------------------------+
| id | name | algorithm | secret                                       |
+----+------+-----------+----------------------------------------------+
|  1 | test | hmac-md5  | kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys= |
+----+------+-----------+----------------------------------------------+


I'm using ISC BIND 9.9.8 as a slave server and allow dynamic dns update
forwarding using BIND's 'allow-update-forwarding' option. The BIND server is
listening port 53.
zone "dyntest.example.com" {
    type slave;
    masters port 5353 {127.0.0.1; };
    allow-update-forwarding {any; };
    file "dyntest.example.com";
};

When I try to use nsupdate 9.9.8 and tsig to dynamically update zone
dyntest.example.com against the slave server  I get a 'TSIG error with
server: tsig verify failure'. However, the zone is still update by PDNS. If
I try to update directly against the PDNS server I get no TSIG warning. If I
use a BIND server as hidden master I do not have this issue. I would really
like to use PDNS as the hidden server. If there a fix for this issue. 

Here is nsupdate in debug mode:

nsupdate -D
> server 127.0.0.1
> zone dyntest.example.com
> key test kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=
> update add test3.dyntest.example.com 300 A 127.0.0.3
> send
Sending update to 127.0.0.1#53
show_message()
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:   3658
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;dyntest.example.com.  IN SOA

;; UPDATE SECTION:
test3.dyntest.example.com. 300 IN A 127.0.0.3

;; TSIG PSEUDOSECTION:
test.     0 ANY TSIG hmac-md5.sig-alg.reg.int. 1447704112 300 16
wRvtZ+cN2MZpX972ZB3XxA== 3658 NOERROR 0 

update_completed()
; TSIG error with server: tsig verify failure
show_message()

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:   3658
;; flags: qr aa; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;dyntest.example.com.  IN SOA

;; TSIG PSEUDOSECTION:
test.     0 ANY TSIG hmac-md5.sig-alg.reg.int. 1447704112 300 16
tkLudfZeOBVGca1ytzuO4A== 3658 NOERROR 0 


PDNS log:
pdns[514]: UPDATE (28984) from 127.0.0.1 for dyntest.example.com: Processing
started.
pdns[514]: Query: select content from domains, domainmetadata where
domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
domainmetadata.kind='ALLOW-DNSUPDATE-FROM'
pdns[514]: Query: select content from domains, domainmetadata where
domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
domainmetadata.kind='TSIG-ALLOW-DNSUPDATE'
pdns[514]: Query: select
id,name,master,last_check,notified_serial,type,account from domains where
name='dyntest.example.com'
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
pdns[514]: UPDATE (28984) from 127.0.0.1 for dyntest.example.com: starting
transaction.
pdns[514]: Query: begin
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
FROM records WHERE disabled=0 and type='A' and
name='test3.dyntest.example.com'
pdns[514]: UPDATE (28984) from 127.0.0.1 for dyntest.example.com: Adding
record test3.dyntest.example.com|A
pdns[514]: Query: insert into records
(content,ttl,prio,type,domain_id,disabled,name,auth) values
('127.0.0.3',300,0,'A',8,0,'test3.dyntest.example.com','1')
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
FROM records WHERE disabled=0 and name='test3.dyntest.example.com'
pdns[514]: Query: delete from records where domain_id='8' and
name='test3.dyntest.example.com' and type is null
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
pdns[514]: Query: select content from domains, domainmetadata where
domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
domainmetadata.kind='SOA-EDIT-DNSUPDATE'
pdns[514]: Query: delete from records where domain_id=8 and
name='dyntest.example.com' and type='SOA'
pdns[514]: Query: insert into records
(content,ttl,prio,type,domain_id,disabled,name,auth) values
('ns1.dyntest.example.com hostmaster.dyntest.example.com 2015111605 600 900
604800 300',3600,0,'SOA',8,0,'dyntest.example.com','1')
pdns[514]: UPDATE (28984) from 127.0.0.1 for dyntest.example.com: Increasing
SOA serial (2015111604 -> 2015111605)
pdns[514]: Query: commit
pdns[514]: UPDATE (28984) from 127.0.0.1 for dyntest.example.com: Update
completed, 2 changed records committed.
pdns[514]: Query: select id,name,master,last_check,type from domains where
type='SLAVE'
pdns[514]: Query: select id,name,master,last_check,notified_serial,type from
domains where type='MASTER'
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
pdns[514]: 1 domain for which we are master needs notifications
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
FROM records WHERE disabled=0 and type='NS' and name='dyntest.example.com'
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
FROM records WHERE disabled=0 and name='ns1.dyntest.example.com'
pdns[514]: Queued notification of domain 'dyntest.example.com' to
127.0.0.1:53
pdns[514]: Query: select content from domains, domainmetadata where
domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
domainmetadata.kind='ALSO-NOTIFY'
pdns[514]: Queued also-notification of domain 'dyntest.example.com' to
127.0.0.1:53
pdns[514]: Query: update domains set notified_serial=2015111605 where id=8
pdns[514]: Remote 127.0.0.1 wants 'dyntest.example.com|SOA', do = 0, bufsize
= 1680: packetcache MISS
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
pdns[514]: Query: select content from domains, domainmetadata where
domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
domainmetadata.kind='SOA-EDIT'
pdns[514]: IXFR of domain 'dyntest.example.com' initiated by 127.0.0.1 with
serial 2015111604
pdns[514]: AXFR of domain 'dyntest.example.com' allowed: client IP 127.0.0.1
is in allow-axfr-ips
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
pdns[514]: Query: select content from domains, domainmetadata where
domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
domainmetadata.kind='SOA-EDIT'
pdns[514]: IXFR fallback to AXFR for domain 'dyntest.example.com' our serial
2015111605
pdns[514]: AXFR of domain 'dyntest.example.com' initiated by 127.0.0.1
pdns[514]: AXFR of domain 'dyntest.example.com' allowed: client IP 127.0.0.1
is in allow-axfr-ips
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
pdns[514]: Query: select content from domains, domainmetadata where
domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
domainmetadata.kind='SOA-EDIT'
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
FROM records WHERE (disabled=0 OR 0) and domain_id='8' order by name, type
pdns[514]: AXFR of domain 'dyntest.example.com' to 127.0.0.1 finished
pdns[514]: Removed from notification list: 'dyntest.example.com' to
127.0.0.1:53 (was acknowledged)




--
View this message in context: http://powerdns.13854.n7.nabble.com/3-4-rc1-with-ddns-tsig-and-bind-s-allow-update-forwarding-tp10880p11897.html
Sent from the PowerDNS mailing list archive at Nabble.com.

More information about the Pdns-users mailing list