[Pdns-users] dns update across dnsdist

Marc Boisis marc.boisis at univ-lr.fr
Tue Feb 11 11:39:46 UTC 2020 

Hi Remi,
My dnsdist version is 1.3.3 and authoritative is 4.2.0

I've found a diff with wireshark, before dnsdist I have just one aditional record containing the TSIG
after dnsdist I have two additional records (TSIG and OPT with client subnet)

I try "newServer({address='127.0.0.1:5300', pool='auth-update', useClientSubnet=false })" or "newServer({address='127.0.0.1:5300', pool='auth-update', useClientSubnet=true })" but the result is the same.


before dnsdist:
Domain Name System (query)
Transaction ID: 0xdb4c
Flags: 0x2800 Dynamic update
0... .... .... .... = Response: Message is a query
.010 1... .... .... = Opcode: Dynamic update (5)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ...0 .... = Non-authenticated data: Unacceptable
Zones: 1
Prerequisites: 1
Updates: 2
Additional RRs: 1
Zone
univ-lr.fr: type SOA, class IN
Name: univ-lr.fr
[Name Length: 10]
[Label Count: 2]
Type: SOA (Start Of a zone of Authority) (6)
Class: IN (0x0001)
Prerequisites
u-bionic-2-5003.univ-lr.fr: type ANY, class NONE
Name: u-bionic-2-5003.univ-lr.fr
Type: * (A request for all records the server/cache has available) (255)
Class: NONE (0x00fe)
Time to live: 0 (0 seconds)
Data length: 0
Updates
u-bionic-2-5003.univ-lr.fr: type A, class IN, addr 10.2.154.237
Name: u-bionic-2-5003.univ-lr.fr
Type: A (Host Address) (1)
Class: IN (0x0001)
Time to live: 3600 (1 hour)
Data length: 4
Address: 10.2.154.237
u-bionic-2-5003.univ-lr.fr: type DHCID, class IN
Name: u-bionic-2-5003.univ-lr.fr
Type: DHCID (49)
Class: IN (0x0001)
Time to live: 3600 (1 hour)
Data length: 35
DHCID Data: 000001a719b0b167ca71adf4b02ed05693d7d8dec38e29a6…
Additional records
bean-dhcp: type TSIG, class ANY
Name: bean-dhcp
Type: TSIG (Transaction Signature) (250)
Class: ANY (0x00ff)
Time to live: 0 (0 seconds)
Data length: 58
Algorithm Name: hmac-md5.sig-alg.reg.int
Time Signed: Feb 11, 2020 11:55:51.000000000 CET
Fudge: 300
MAC Size: 16
MAC
[Expert Info (Warning/Undecoded): No dissector for algorithm:hmac-md5.sig-alg.reg.int]
[No dissector for algorithm:hmac-md5.sig-alg.reg.int]
[Severity level: Warning]
[Group: Undecoded]
Original Id: 56140
Error: No error (0)
Other Len: 0
-------------

after dnsdist

Domain Name System (query)
Transaction ID: 0x8808
Flags: 0x2800 Dynamic update
0... .... .... .... = Response: Message is a query
.010 1... .... .... = Opcode: Dynamic update (5)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ...0 .... = Non-authenticated data: Unacceptable
Zones: 1
Prerequisites: 1
Updates: 2
Additional RRs: 2
Zone
univ-lr.fr: type SOA, class IN
Name: univ-lr.fr
[Name Length: 10]
[Label Count: 2]
Type: SOA (Start Of a zone of Authority) (6)
Class: IN (0x0001)
Prerequisites
u-bionic-2-5003.univ-lr.fr: type ANY, class NONE
Name: u-bionic-2-5003.univ-lr.fr
Type: * (A request for all records the server/cache has available) (255)
Class: NONE (0x00fe)
Time to live: 0 (0 seconds)
Data length: 0
Updates
u-bionic-2-5003.univ-lr.fr: type A, class IN, addr 10.2.154.237
Name: u-bionic-2-5003.univ-lr.fr
Type: A (Host Address) (1)
Class: IN (0x0001)
Time to live: 3600 (1 hour)
Data length: 4
Address: 10.2.154.237
u-bionic-2-5003.univ-lr.fr: type DHCID, class IN
Name: u-bionic-2-5003.univ-lr.fr
Type: DHCID (49)
Class: IN (0x0001)
Time to live: 3600 (1 hour)
Data length: 35
DHCID Data: 000001a719b0b167ca71adf4b02ed05693d7d8dec38e29a6…
Additional records
bean-dhcp: type TSIG, class ANY
Name: bean-dhcp
Type: TSIG (Transaction Signature) (250)
Class: ANY (0x00ff)
Time to live: 0 (0 seconds)
Data length: 58
Algorithm Name: hmac-md5.sig-alg.reg.int
Time Signed: Feb 11, 2020 11:55:51.000000000 CET
Fudge: 300
MAC Size: 16
MAC
[Expert Info (Warning/Undecoded): No dissector for algorithm:hmac-md5.sig-alg.reg.int]
[No dissector for algorithm:hmac-md5.sig-alg.reg.int]
[Severity level: Warning]
[Group: Undecoded]
Original Id: 56140
Error: No error (0)
Other Len: 0
<Root>: type OPT
Name: <Root>
Type: OPT (41)
UDP payload size: 512
Higher bits in extended RCODE: 0x00
EDNS0 version: 0
Z: 0x0000
0... .... .... .... = DO bit: Cannot handle DNSSEC security RRs
.000 0000 0000 0000 = Reserved: 0x0000
Data length: 12
Option: CSUBNET - Client subnet
Option Code: CSUBNET - Client subnet (8)
Option Length: 8
Option Data: 000120000a011e18
Family: IPv4 (1)
Source Netmask: 32
Scope Netmask: 0
Client Subnet: 10.1.30.24







On 11 Feb 2020 at 11:33 +0100, Remi Gacogne via Pdns-users , wrote:
> Hi Marc,
>
> On 2/10/20 10:42 PM, Marc Boisis via Pdns-users wrote:
> > Here is my config:
> > [isc-dhcp] ----dns update---->[dnsdist--->pdns authoritative]
> > the isc dhcp server(v4.4.2) send a dns update query with a tsig
> > key(hmac-md5). (I see it with tcpdump/wireshark).
> > When the authoritative get the request, it said : "UPDATE (9470) from
> > 127.0.0.1 for my-domain.com: TSIG key required, but packet does not
> > contain key. Sending REFUSED"
> >
> > my dnsdist config is:
> >
> > |newServer({address='127.0.0.1:5300', pool='auth'})
> > addAction(OpcodeRule(DNSOpcode.Update), PoolAction("auth") ) |
> >
> > my authoritative config:
> >
> > |allow-dnsupdate-from=127.0.0.0/8 dnsupdate=yes |
> >
> > I miss something  ?
>
> Would you mind sharing the exact versions of dnsdist and PowerDNS
> authoritative server you are using?
>
> Did you try capturing the packet leaving dnsdist toward the
> authoritative server to confirm that the TSIG key is still there? Your
> configuration does not require the addition of EDNS Client Subnet so
> dnsdist shouldn't be altering the packet at all, but it would be nice to
> know what the authoritative server actually receives.
>
> Best regards,
> --
> Remi Gacogne
> PowerDNS.COM BV - https://www.powerdns.com/
>
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200211/932e5576/attachment.htm>

More information about the Pdns-users mailing list