[Pdns-users] PDNS Authoritative: updating from 4.6.4 to 4.7.3 - broken RFC2136 / dynamic updates

Andrea Biancalani a.biancalani at conmet.it
Thu Dec 15 09:35:27 UTC 2022 

Hello there,

I've recently updated my PDNS Authoritative from 4.6.4 to 4.7.3 and I've 
noticed my dynamic DNS updates has broken.

Just to make an example:

 1. create a new zone (aka: 123.com)
 2. set meta-data for that zone allowing update for specific IP, key
    name, alghorithm
 3. send an nsupdate command

(you can follow offical documentation to do that: 
https://doc.powerdns.com/authoritative/dnsupdate.html#per-zone-settings)

when I try to update that zone through nsupdate from an allowed IP, 
using correct tsig-key name + password it throws an error:


META values for 123.com

> root at ns1:~# pdnsutil get-meta 123.com
> Dec 15 10:31:36 [bindbackend] Parsing 0 domain(s), will report when done
> Dec 15 10:31:36 [bindbackend] Done parsing domains, 0 rejected, 0 new, 
> 0 removed
> Metadata for '123.com'
> ALLOW-DNSUPDATE-FROM = X.X.X.X/32 *<-- My allowed IP to set dyndns 
> update through RFC2136*
> SOA-EDIT-API = DEFAULT
> TSIG-ALLOW-DNSUPDATE = 123-test *<-- KEY NAME*
>
> root at ns1:~# pdnsutil list-tsig-keys
> Dec 15 10:31:50 [bindbackend] Parsing 0 domain(s), will report when done
> Dec 15 10:31:50 [bindbackend] Done parsing domains, 0 rejected, 0 new, 
> 0 removed
> 123-test. hmac-md5. '*1Q7VGkGcK6p46S0OVG2K5cm2DWUFQXEqP12pDjuLbJk=*' 
> <-- *KEY PASSWORD*
>

command sent:

> nsupdate <<!
> server */<MY DNS REMOTE SERVER>/* 53
> zone 123.com
> update add test1.123.com 3600 TXT "this is a test"
> key hmac-md5:123-test 1Q7VGkGcK6p46S0OVG2K5cm2DWUFQXEqP12pDjuLbJk=
> send
> !

Result:

> Dec 15 10:23:26 ns1 pdns_server[3782843]: Packet for '123.com' denied: 
> Signature with TSIG key '123-test' failed to validate
> Dec 15 10:24:05 ns1 pdns_server[3782843]: Packet for '123.com' denied: 
> Signature with TSIG key '123-test' failed to validate

Is this a bug? Have I to write down a ticket on github about this?

Kind regards,

Andrea
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20221215/f20d88c1/attachment.htm>

More information about the Pdns-users mailing list