[Pdns-users] PDNS Authoritative: updating from 4.6.4 to 4.7.3 - broken RFC2136 / dynamic updates

Andrea Biancalani a.biancalani at conmet.it
Thu Dec 15 10:58:01 UTC 2022


Answering myself:

the problem is only the fact that (don't know why...) but password in 
TSIG-KEYS is between single quotes.
Removing those keys and recreating them after the upgrade solved my problem.

Cheers

Il 15/12/2022 10:35, Andrea Biancalani ha scritto:
> Hello there,
>
> I've recently updated my PDNS Authoritative from 4.6.4 to 4.7.3 and 
> I've noticed my dynamic DNS updates has broken.
>
> Just to make an example:
>
>  1. create a new zone (aka: 123.com)
>  2. set meta-data for that zone allowing update for specific IP, key
>     name, alghorithm
>  3. send an nsupdate command
>
> (you can follow offical documentation to do that: 
> https://doc.powerdns.com/authoritative/dnsupdate.html#per-zone-settings)
>
> when I try to update that zone through nsupdate from an allowed IP, 
> using correct tsig-key name + password it throws an error:
>
>
> META values for 123.com
>
>> root at ns1:~# pdnsutil get-meta 123.com
>> Dec 15 10:31:36 [bindbackend] Parsing 0 domain(s), will report when done
>> Dec 15 10:31:36 [bindbackend] Done parsing domains, 0 rejected, 0 
>> new, 0 removed
>> Metadata for '123.com'
>> ALLOW-DNSUPDATE-FROM = X.X.X.X/32 *<-- My allowed IP to set dyndns 
>> update through RFC2136*
>> SOA-EDIT-API = DEFAULT
>> TSIG-ALLOW-DNSUPDATE = 123-test *<-- KEY NAME*
>>
>> root at ns1:~# pdnsutil list-tsig-keys
>> Dec 15 10:31:50 [bindbackend] Parsing 0 domain(s), will report when done
>> Dec 15 10:31:50 [bindbackend] Done parsing domains, 0 rejected, 0 
>> new, 0 removed
>> 123-test. hmac-md5. '*1Q7VGkGcK6p46S0OVG2K5cm2DWUFQXEqP12pDjuLbJk=*' 
>> <-- *KEY PASSWORD*
>>
>
> command sent:
>
>> nsupdate <<!
>> server */<MY DNS REMOTE SERVER>/* 53
>> zone 123.com
>> update add test1.123.com 3600 TXT "this is a test"
>> key hmac-md5:123-test 1Q7VGkGcK6p46S0OVG2K5cm2DWUFQXEqP12pDjuLbJk=
>> send
>> !
>
> Result:
>
>> Dec 15 10:23:26 ns1 pdns_server[3782843]: Packet for '123.com' 
>> denied: Signature with TSIG key '123-test' failed to validate
>> Dec 15 10:24:05 ns1 pdns_server[3782843]: Packet for '123.com' 
>> denied: Signature with TSIG key '123-test' failed to validate
>
> Is this a bug? Have I to write down a ticket on github about this?
>
> Kind regards,
>
> Andrea
>

-- 
Andrea Biancalani - /Rep. Commerciale e Tecnico/
*Connessioni Metropolitane srl*
Via G. Valentini, 14 - Prato (PO) - 59100
Sito web: https://www.conmet.it
Tel. 0574 536553
Fax. 0574 536554
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20221215/c516edd2/attachment.htm>


More information about the Pdns-users mailing list