[Pdns-users] TSIG with DDNS and BIND's allow-update-forwarding -PDNS 3.4.7.

Tue Nov 17 17:27:22 UTC 2015

Am I doing something wrong? Or this a bug ?

This issue was also reported for 3.4-rc1. I've decided to open a new mail
thread for awareness. 

I would like to use powerdns as a hidden master and BIND as the
secondary/slave server.

I send TSIG signed dynamic update requests via the nsupdate utility to the
slave server (BIND). The BIND server forwards the request to PDNS. This
seems to be working - PDNS receives the request and validates the TSIG key
sent by nsupdate, it also makes the requested dynamic update. However, there
seems to be an issue with the PowerDNS TSIG response. Nsupdate reports an
invalid tsig response ('TSIG error with server: tsig verify failure'). I
also have the same issue if I use dnspython library.

This seems to be an issue with powerDNS. If I use BIND as both master and
slave I do not get the same TSIG error.

Pdns-3.4.7 was compiled under RHEL 6 with a MYSQL backend. 

The PDNS server is configured as a hidden master and listening on port 5353.

select * from domains where id=8;
+----+---------------------+--------+------------+--------+-----------------+---------+
| id | name                | master | last_check | type   | notified_serial
| account |
+----+---------------------+--------+------------+--------+-----------------+---------+
|  8 | dyntest.example.com | NULL   |       NULL | MASTER |      2015111209
| NULL    |
+----+---------------------+--------+------------+--------+-----------------+---------+

 select * from domainmetadata where domain_id=8;
+----+-----------+----------------------+---------------------+
| id | domain_id | kind                 | content             |
+----+-----------+----------------------+---------------------+
| 16 |         8 | ALLOW-DNSUPDATE-FROM | 0.0.0.0/0           |
| 18 |         8 | SOA-EDIT-API         | INCEPTION-INCREMENT |
| 20 |         8 | TSIG-ALLOW-DNSUPDATE | test                |
+----+-----------+----------------------+---------------------+

select * from tsigkeys where name = 'test';
+----+------+-----------+----------------------------------------------+
| id | name | algorithm | secret                                       |
+----+------+-----------+----------------------------------------------+
|  1 | test | hmac-md5  | kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys= |
+----+------+-----------+----------------------------------------------+

I'm using ISC BIND 9.9.8 as a slave server and allow dynamic dns update
forwarding using BIND's 'allow-update-forwarding' option. The BIND server is
listening port 53.
zone "dyntest.example.com" {
    type slave;
    masters port 5353 {127.0.0.1; };
    allow-update-forwarding {any; };
    file "dyntest.example.com";
};

When I try to use nsupdate 9.9.8 and tsig to dynamically update zone
dyntest.example.com against the slave server  I get a 'TSIG error with
server: tsig verify failure'. However, the zone is still update by PDNS. If
I try to update directly against the PDNS server I get no TSIG warning. If I
use a BIND server as hidden master I do not have this issue. I would really
like to use PDNS as the hidden server. If there a fix for this issue.

Here is nsupdate in debug mode:

nsupdate -D
> server 127.0.0.1
> zone dyntest.example.com
> key test kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=
> update add test3.dyntest.example.com 300 A 127.0.0.3
> send
Sending update to 127.0.0.1#53
show_message()
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:   3658
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;dyntest.example.com.  IN SOA

;; UPDATE SECTION:
test3.dyntest.example.com. 300 IN A 127.0.0.3

;; TSIG PSEUDOSECTION:
test.     0 ANY TSIG hmac-md5.sig-alg.reg.int. 1447704112 300 16
wRvtZ+cN2MZpX972ZB3XxA== 3658 NOERROR 0

update_completed()
; TSIG error with server: tsig verify failure
show_message()

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:   3658
;; flags: qr aa; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;dyntest.example.com.  IN SOA

;; TSIG PSEUDOSECTION:
test.     0 ANY TSIG hmac-md5.sig-alg.reg.int. 1447704112 300 16
tkLudfZeOBVGca1ytzuO4A== 3658 NOERROR 0

PDNS log:
pdns[514]: UPDATE (28984) from 127.0.0.1 for dyntest.example.com: Processing
started.
pdns[514]: Query: select content from domains, domainmetadata where
domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
domainmetadata.kind='ALLOW-DNSUPDATE-FROM'
pdns[514]: Query: select content from domains, domainmetadata where
domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
domainmetadata.kind='TSIG-ALLOW-DNSUPDATE'
pdns[514]: Query: select
id,name,master,last_check,notified_serial,type,account from domains where
name='dyntest.example.com'
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
pdns[514]: UPDATE (28984) from 127.0.0.1 for dyntest.example.com: starting
transaction.
pdns[514]: Query: begin
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
FROM records WHERE disabled=0 and type='A' and
name='test3.dyntest.example.com'
pdns[514]: UPDATE (28984) from 127.0.0.1 for dyntest.example.com: Adding
record test3.dyntest.example.com|A
pdns[514]: Query: insert into records
(content,ttl,prio,type,domain_id,disabled,name,auth) values
('127.0.0.3',300,0,'A',8,0,'test3.dyntest.example.com','1')
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
FROM records WHERE disabled=0 and name='test3.dyntest.example.com'
pdns[514]: Query: delete from records where domain_id='8' and
name='test3.dyntest.example.com' and type is null
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
pdns[514]: Query: select content from domains, domainmetadata where
domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
domainmetadata.kind='SOA-EDIT-DNSUPDATE'
pdns[514]: Query: delete from records where domain_id=8 and
name='dyntest.example.com' and type='SOA'
pdns[514]: Query: insert into records
(content,ttl,prio,type,domain_id,disabled,name,auth) values
('ns1.dyntest.example.com hostmaster.dyntest.example.com 2015111605 600 900
604800 300',3600,0,'SOA',8,0,'dyntest.example.com','1')
pdns[514]: UPDATE (28984) from 127.0.0.1 for dyntest.example.com: Increasing
SOA serial (2015111604 -> 2015111605)
pdns[514]: Query: commit
pdns[514]: UPDATE (28984) from 127.0.0.1 for dyntest.example.com: Update
completed, 2 changed records committed.
pdns[514]: Query: select id,name,master,last_check,type from domains where
type='SLAVE'
pdns[514]: Query: select id,name,master,last_check,notified_serial,type from
domains where type='MASTER'
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
pdns[514]: 1 domain for which we are master needs notifications
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
FROM records WHERE disabled=0 and type='NS' and name='dyntest.example.com'
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
FROM records WHERE disabled=0 and name='ns1.dyntest.example.com'
pdns[514]: Queued notification of domain 'dyntest.example.com' to
127.0.0.1:53
pdns[514]: Query: select content from domains, domainmetadata where
domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
domainmetadata.kind='ALSO-NOTIFY'
pdns[514]: Queued also-notification of domain 'dyntest.example.com' to
127.0.0.1:53
pdns[514]: Query: update domains set notified_serial=2015111605 where id=8
pdns[514]: Remote 127.0.0.1 wants 'dyntest.example.com|SOA', do = 0, bufsize
= 1680: packetcache MISS
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
pdns[514]: Query: select content from domains, domainmetadata where
domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
domainmetadata.kind='SOA-EDIT'
pdns[514]: IXFR of domain 'dyntest.example.com' initiated by 127.0.0.1 with
serial 2015111604
pdns[514]: AXFR of domain 'dyntest.example.com' allowed: client IP 127.0.0.1
is in allow-axfr-ips
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
pdns[514]: Query: select content from domains, domainmetadata where
domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
domainmetadata.kind='SOA-EDIT'
pdns[514]: IXFR fallback to AXFR for domain 'dyntest.example.com' our serial
2015111605
pdns[514]: AXFR of domain 'dyntest.example.com' initiated by 127.0.0.1
pdns[514]: AXFR of domain 'dyntest.example.com' allowed: client IP 127.0.0.1
is in allow-axfr-ips
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
pdns[514]: Query: select content from domains, domainmetadata where
domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
domainmetadata.kind='SOA-EDIT'
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
FROM records WHERE (disabled=0 OR 0) and domain_id='8' order by name, type
pdns[514]: AXFR of domain 'dyntest.example.com' to 127.0.0.1 finished
pdns[514]: Removed from notification list: 'dyntest.example.com' to
127.0.0.1:53 (was acknowledged) 

--
View this message in context: http://powerdns.13854.n7.nabble.com/TSIG-with-DDNS-and-BIND-s-allow-update-forwarding-PDNS-3-4-7-tp11899.html
Sent from the PowerDNS mailing list archive at Nabble.com.