[Pdns-users] TSIG with DDNS and BIND's allow-update-forwarding -PDNS 3.4.7.

Ruben d'Arco ruben at prof-x.net
Sat Nov 21 16:23:48 UTC 2015


Hi,

Can you maybe report this into a github issue, so it doesn't get forgotten?

Being one of the contributers that helped implement this, i really want to have a
look and try the same scenario locally and if reproducable, fix it.
But my time is very limited at the moment. The chrismas holiday should help :)

Regards,
	Ruben


On Tue, Nov 17, 2015 at 10:27:22AM -0700, ciphernix wrote:
> Am I doing something wrong? Or this a bug ?
> 
> This issue was also reported for 3.4-rc1. I've decided to open a new mail
> thread for awareness. 
> 
> I would like to use powerdns as a hidden master and BIND as the
> secondary/slave server.
> 
> I send TSIG signed dynamic update requests via the nsupdate utility to the
> slave server (BIND). The BIND server forwards the request to PDNS. This
> seems to be working - PDNS receives the request and validates the TSIG key
> sent by nsupdate, it also makes the requested dynamic update. However, there
> seems to be an issue with the PowerDNS TSIG response. Nsupdate reports an
> invalid tsig response ('TSIG error with server: tsig verify failure'). I
> also have the same issue if I use dnspython library.
> 
> This seems to be an issue with powerDNS. If I use BIND as both master and
> slave I do not get the same TSIG error.
> 
> 
> Pdns-3.4.7 was compiled under RHEL 6 with a MYSQL backend. 
> 
> The PDNS server is configured as a hidden master and listening on port 5353.
> 
> select * from domains where id=8;
> +----+---------------------+--------+------------+--------+-----------------+---------+
> | id | name                | master | last_check | type   | notified_serial
> | account |
> +----+---------------------+--------+------------+--------+-----------------+---------+
> |  8 | dyntest.example.com | NULL   |       NULL | MASTER |      2015111209
> | NULL    |
> +----+---------------------+--------+------------+--------+-----------------+---------+
> 
>  select * from domainmetadata where domain_id=8;
> +----+-----------+----------------------+---------------------+
> | id | domain_id | kind                 | content             |
> +----+-----------+----------------------+---------------------+
> | 16 |         8 | ALLOW-DNSUPDATE-FROM | 0.0.0.0/0           |
> | 18 |         8 | SOA-EDIT-API         | INCEPTION-INCREMENT |
> | 20 |         8 | TSIG-ALLOW-DNSUPDATE | test                |
> +----+-----------+----------------------+---------------------+
> 
> 
> select * from tsigkeys where name = 'test';
> +----+------+-----------+----------------------------------------------+
> | id | name | algorithm | secret                                       |
> +----+------+-----------+----------------------------------------------+
> |  1 | test | hmac-md5  | kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys= |
> +----+------+-----------+----------------------------------------------+
> 
> 
> I'm using ISC BIND 9.9.8 as a slave server and allow dynamic dns update
> forwarding using BIND's 'allow-update-forwarding' option. The BIND server is
> listening port 53.
> zone "dyntest.example.com" {
>     type slave;
>     masters port 5353 {127.0.0.1; };
>     allow-update-forwarding {any; };
>     file "dyntest.example.com";
> };
> 
> When I try to use nsupdate 9.9.8 and tsig to dynamically update zone
> dyntest.example.com against the slave server  I get a 'TSIG error with
> server: tsig verify failure'. However, the zone is still update by PDNS. If
> I try to update directly against the PDNS server I get no TSIG warning. If I
> use a BIND server as hidden master I do not have this issue. I would really
> like to use PDNS as the hidden server. If there a fix for this issue.
> 
> Here is nsupdate in debug mode:
> 
> nsupdate -D
> > server 127.0.0.1
> > zone dyntest.example.com
> > key test kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=
> > update add test3.dyntest.example.com 300 A 127.0.0.3
> > send
> Sending update to 127.0.0.1#53
> show_message()
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:   3658
> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
> ;; ZONE SECTION:
> ;dyntest.example.com.  IN SOA
> 
> ;; UPDATE SECTION:
> test3.dyntest.example.com. 300 IN A 127.0.0.3
> 
> ;; TSIG PSEUDOSECTION:
> test.     0 ANY TSIG hmac-md5.sig-alg.reg.int. 1447704112 300 16
> wRvtZ+cN2MZpX972ZB3XxA== 3658 NOERROR 0
> 
> update_completed()
> ; TSIG error with server: tsig verify failure
> show_message()
> 
> Reply from update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:   3658
> ;; flags: qr aa; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
> ;; ZONE SECTION:
> ;dyntest.example.com.  IN SOA
> 
> ;; TSIG PSEUDOSECTION:
> test.     0 ANY TSIG hmac-md5.sig-alg.reg.int. 1447704112 300 16
> tkLudfZeOBVGca1ytzuO4A== 3658 NOERROR 0
> 
> 
> PDNS log:
> pdns[514]: UPDATE (28984) from 127.0.0.1 for dyntest.example.com: Processing
> started.
> pdns[514]: Query: select content from domains, domainmetadata where
> domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
> domainmetadata.kind='ALLOW-DNSUPDATE-FROM'
> pdns[514]: Query: select content from domains, domainmetadata where
> domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
> domainmetadata.kind='TSIG-ALLOW-DNSUPDATE'
> pdns[514]: Query: select
> id,name,master,last_check,notified_serial,type,account from domains where
> name='dyntest.example.com'
> pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
> FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
> pdns[514]: UPDATE (28984) from 127.0.0.1 for dyntest.example.com: starting
> transaction.
> pdns[514]: Query: begin
> pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
> FROM records WHERE disabled=0 and type='A' and
> name='test3.dyntest.example.com'
> pdns[514]: UPDATE (28984) from 127.0.0.1 for dyntest.example.com: Adding
> record test3.dyntest.example.com|A
> pdns[514]: Query: insert into records
> (content,ttl,prio,type,domain_id,disabled,name,auth) values
> ('127.0.0.3',300,0,'A',8,0,'test3.dyntest.example.com','1')
> pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
> FROM records WHERE disabled=0 and name='test3.dyntest.example.com'
> pdns[514]: Query: delete from records where domain_id='8' and
> name='test3.dyntest.example.com' and type is null
> pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
> FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
> pdns[514]: Query: select content from domains, domainmetadata where
> domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
> domainmetadata.kind='SOA-EDIT-DNSUPDATE'
> pdns[514]: Query: delete from records where domain_id=8 and
> name='dyntest.example.com' and type='SOA'
> pdns[514]: Query: insert into records
> (content,ttl,prio,type,domain_id,disabled,name,auth) values
> ('ns1.dyntest.example.com hostmaster.dyntest.example.com 2015111605 600 900
> 604800 300',3600,0,'SOA',8,0,'dyntest.example.com','1')
> pdns[514]: UPDATE (28984) from 127.0.0.1 for dyntest.example.com: Increasing
> SOA serial (2015111604 -> 2015111605)
> pdns[514]: Query: commit
> pdns[514]: UPDATE (28984) from 127.0.0.1 for dyntest.example.com: Update
> completed, 2 changed records committed.
> pdns[514]: Query: select id,name,master,last_check,type from domains where
> type='SLAVE'
> pdns[514]: Query: select id,name,master,last_check,notified_serial,type from
> domains where type='MASTER'
> pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
> FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
> pdns[514]: 1 domain for which we are master needs notifications
> pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
> FROM records WHERE disabled=0 and type='NS' and name='dyntest.example.com'
> pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
> FROM records WHERE disabled=0 and name='ns1.dyntest.example.com'
> pdns[514]: Queued notification of domain 'dyntest.example.com' to
> 127.0.0.1:53
> pdns[514]: Query: select content from domains, domainmetadata where
> domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
> domainmetadata.kind='ALSO-NOTIFY'
> pdns[514]: Queued also-notification of domain 'dyntest.example.com' to
> 127.0.0.1:53
> pdns[514]: Query: update domains set notified_serial=2015111605 where id=8
> pdns[514]: Remote 127.0.0.1 wants 'dyntest.example.com|SOA', do = 0, bufsize
> = 1680: packetcache MISS
> pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
> FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
> pdns[514]: Query: select content from domains, domainmetadata where
> domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
> domainmetadata.kind='SOA-EDIT'
> pdns[514]: IXFR of domain 'dyntest.example.com' initiated by 127.0.0.1 with
> serial 2015111604
> pdns[514]: AXFR of domain 'dyntest.example.com' allowed: client IP 127.0.0.1
> is in allow-axfr-ips
> pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
> FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
> pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
> FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
> pdns[514]: Query: select content from domains, domainmetadata where
> domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
> domainmetadata.kind='SOA-EDIT'
> pdns[514]: IXFR fallback to AXFR for domain 'dyntest.example.com' our serial
> 2015111605
> pdns[514]: AXFR of domain 'dyntest.example.com' initiated by 127.0.0.1
> pdns[514]: AXFR of domain 'dyntest.example.com' allowed: client IP 127.0.0.1
> is in allow-axfr-ips
> pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
> FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
> pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
> FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
> pdns[514]: Query: select content from domains, domainmetadata where
> domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
> domainmetadata.kind='SOA-EDIT'
> pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
> FROM records WHERE (disabled=0 OR 0) and domain_id='8' order by name, type
> pdns[514]: AXFR of domain 'dyntest.example.com' to 127.0.0.1 finished
> pdns[514]: Removed from notification list: 'dyntest.example.com' to
> 127.0.0.1:53 (was acknowledged) 
> 
> 
> 
> 
> --
> View this message in context: http://powerdns.13854.n7.nabble.com/TSIG-with-DDNS-and-BIND-s-allow-update-forwarding-PDNS-3-4-7-tp11899.html
> Sent from the PowerDNS mailing list archive at Nabble.com.
> 
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users




More information about the Pdns-users mailing list