[Pdns-users] Dynamic DNS using nsupdate + TSIG

Yas Admin admin at yas.nz
Sat May 7 10:45:59 UTC 2016 

Hi-ho..

I've recently converted some of the DNS severs I look after to be PowerDNS
after using bind for, ummm, a long time. :-)

One thing I can't get working is dynamic dns.

The details:

pdns-server / pdns-backend-mysql  3.4.1-4-deb8u4 on debian Jessie master
and super slaves, all working fine with poweradmin etc and is the
authoritative DNS for a few domains now.

One site has a raspberry pi in their office that used to use nsupdate to
bind just fine, so I set up the following to get it working with pdns.

A separate 'dyn.xxxx.com' subdomain so I don't have to give the pi access
to the whole domain.  (domain_id=21 in the DB)

'experimental-dnsupdate=yes' in pdns.conf.  (changed to dnsupdate=yes in 4.x)

Added settings to the DB:

mysql> select * from tsigkeys;
+----+---------+-----------+--------------------------+
| id | name    | algorithm | secret                   |
+----+---------+-----------+--------------------------+
|  7 | pi.**** | hmac-md5  | tY****************tkJg== |
+----+---------+-----------+--------------------------+
1 row in set (0.00 sec)

mysql> select * from domainmetadata;
+----+-----------+----------------------+---------+
| id | domain_id | kind                 | content |
+----+-----------+----------------------+---------+
|  9 |        21 | TSIG-ALLOW-DNSUPDATE | pi.**** |
+----+-----------+----------------------+---------+
2 rows in set (0.00 sec)

When I do the nsupdate from the pi I get:

"Remote not listed in allow-dnsupdate-from or domainmetadata. Sending
REFUSED"

In the log on the master.

If I add an ALLOW-DNSUPDATE-FROM record with wide IP range in
domainmetadata it works as you'd expect but not with just TSIG?

Leaving the ALLOW-DNSUPDATE-FROM and removing the TSIG settings the update
still works, but insecure.

powerdns is correctly checking the TSIG record as if I use a different one
at the pi end I get this error:

"denied: TSIG signature mismatch using 'pi.home' and algorithm
'hmac-md5.sig-alg.reg.int.'" in the log.

I also tried a record in domainmetadata with a type of 'TSIG-ALLOW-2136'
with the value pi.**** which I found on a blog that dinnae work either.

I am wondering if it's just a version issue, so I might have to look at
backports, but I'd prefer not as I have a lot of machines to maintain and
keeping things in mainstream support makes my life a lot easier.

Cheers, Chris.

More information about the Pdns-users mailing list