Hi Ruben,
I've tried to reproduce your issue on my end, but failed.
Could you try running the following:
$ nsupdate <<!
server 127.0.0.1 53
zone example.com
prereq nxdomain client-ubuntu.example.com
update add client-ubuntu.example.com 300 A 172.16.100.34
update add client-ubuntu.example.com 300 TXT
"00bc035b76ccfec55f7d52a28a35c10053"
key ddns_update hdD/wdMScNJhp0Dgpm6q8Q==
send
answer
!
This should result in exactly the same update as your dhcpd is sending. Can you
check how pdns responds to that?
The result of the above command is, unfortunately:
; TSIG error with server: expected a TSIG or SIG(0)
update failed: REFUSED
Answer:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 7453
;; flags: qr aa; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;example.com. IN SOA
pdns logs are as follows:
Aug 24 10:15:41 ddnstest1 pdns[1275]: TCP Remote 127.0.0.1 wants
'example.com|SOA', do = 0, bufsize = 512: packetcache MISS
Aug 24 10:15:41 ddnstest1 pdns[1275]: Query: select algorithm, secret
from tsigkeys where name=E'ddns_update'
Aug 24 10:15:41 ddnstest1 pdns[1275]: Packet for domain 'example.com'
denied: TSIG signature mismatch using 'ddns_update' and algorithm
'hmac-md5.sig-alg.reg.int.'
Aug 24 10:15:41 ddnstest1 pdns[1275]: Received a TSIG signed message
with a non-validating key
btw, if I send to port 54 (i.e direct to PDNS) instead, I get the
expected successful result:
Answer:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 48673
;; flags: qr aa; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;example.com. IN SOA
;; TSIG PSEUDOSECTION:
ddns_update. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1408843148 300 16
SDNHs1KVTDSRfC5GLUYCrA== 48673 NOERROR 0
I really appreciate your help
Thanks,
Martin
On Fri, Aug 22, 2014 at 11:31:12AM +0200, Ruben d'Arco wrote:
Hi Martin,
To me, this seems nothing to do with bind. PDNS checks the TSIG on the package
and can't verify it correctly. It then drops is and nothing happens.
I'm running dhcpd 4.2.5, i thought that can be the issue, but the pcap will
verify.
I'll get back to you later!
Regards,
Ruben
On Fri, Aug 22, 2014 at 06:05:57PM +0900, Martin Chandler wrote:
Hi Ruben,
Going back over versions, I see I am running BIND 9.9.5 instead of 9.3.
Maybe that's the problem?
dhcpd is 4.2.4.
I will send you the packet capture off-list,
as I am not sure if it is permissable to send attachments to the list...
Thanks,
Martin
(2014年08月22日 17:07), Ruben d'Arco wrote:
Hi Martin,
I'm running virtually the same config but do not have this issue.
Would it be possible for you to create a tcpdump/pcap file so i can replay the
message on my end?
Just to be sure, the tsigkeys table should have 'hmac-md5' as algoritm.
Could you also tell us what version of dhcpd you're running?
Regards,
Ruben
On Fri, Aug 22, 2014 at 03:03:16PM +0900, Martin Chandler wrote:
Hi Ruben,
Could you provide some logging from powerdns?
It should note/show what's it doing on that end...
I added the following to pdns.conf:
loglevel=9
log-dns-details=yes
log-dns-queries=yes
query-logging=yes
and this is all that pdns logs during the dhcp transaction:
Aug 22 14:58:50 ddnstest1 pdns[1246]: TCP Remote 127.0.0.1 wants
'example.com|SOA', do = 0, bufsize = 512: packetcache MISS
Aug 22 14:58:50 ddnstest1 pdns[1246]: Query: select algorithm,
secret from tsigkeys where name=E'ddns_update'
Aug 22 14:58:50 ddnstest1 pdns[1246]: Packet for domain
'example.com' denied: TSIG signature mismatch using 'ddns_update'
and algorithm 'hmac-md5.sig-alg.reg.int.'
Aug 22 14:58:50 ddnstest1 pdns[1246]: Received a TSIG signed message
with a non-validating key
Thanks,
Martin
Regards,
Ruben
On 22 August 2014 04:40:57 CEST, Martin Chandler <[email protected]>
wrote:
Hi,
I have been playing with the new dynamic dns feature of authoritative
server 3.4.0-rc1, and have a question regarding interaction when using
pdns as a hidden master in conjunction with bind 9.3 with the
allow-update-forwading setting.
(please excuse me if this is more of a BIND issue)
In short, the TSIG request bind forwards does not seem to work.
My log looks like this (server is ubuntu 14.04) when a client (also
ubuntu 14.04) requests an IP address:
Aug 22 10:39:27 ddnstest1 dhcpd: DHCPDISCOVER from 52:54:00:41:5f:23 via
eth1
Aug 22 10:39:28 ddnstest1 dhcpd: DHCPOFFER on172.16.100.34
<http://172.16.100.34> to
52:54:00:41:5f:23 (client-ubuntu) via eth1
Aug 22 10:39:28 ddnstest1 named[1422]: client127.0.0.1
<http://127.0.0.1>#2532/key
ddns_update: signer "ddns_update" approved
Aug 22 10:39:28 ddnstest1 named[1422]: client127.0.0.1
<http://127.0.0.1>#2532/key
ddns_update: forwarding update for zone 'example.com/IN
<http://example.com/IN>'
Aug 22 10:39:28 ddnstest1 pdns[1248]: Packet for domain 'example.com
<http://example.com>'
denied: TSIG signature mismatch using 'ddns_update' and algorithm
'hmac-md5.sig-alg.reg.int <http://hmac-md5.sig-alg.reg.int>.'
Aug 22 10:39:28 ddnstest1 named[1422]: zoneexample.com/IN
<http://example.com/IN>: forwarded
dynamic update: master127.0.0.1 <http://127.0.0.1>#54 returned: REFUSED
Aug 22 10:39:28 ddnstest1 dhcpd: DHCPREQUEST for172.16.100.34
<http://172.16.100.34>
(172.16.100.5 <http://172.16.100.5>) from 52:54:00:41:5f:23
(client-ubuntu) via eth1
Aug 22 10:39:28 ddnstest1 dhcpd: DHCPACK on172.16.100.34
<http://172.16.100.34> to
52:54:00:41:5f:23 (client-ubuntu) via eth1
Aug 22 10:39:28 ddnstest1 d
hcpd:
Unable to add forward map from
client-ubuntu.example.com <http://client-ubuntu.example.com> to172.16.100.34
<http://172.16.100.34>: expected a TSIG or SIG(0)
I have PowerDNS set up to run on port 54 as a hidden master to a BIND
slave on port 53. The dhcp server also runs on the same machine.
pdns.conf:
master=yes
experimental-dnsupdate=yes
allow-dnsupdate-from=
local-port=54
query-local-address=127.0.0.1 <http://127.0.0.1>
launch=gpgsql
gpgsql-dnssec=yes
powerdns=# select * from domains;
id | name | master | last_check | type |
notified_serial | account
----+-------------------------+--------+------------+--------+-----------------+---------
1 |example.com <http://example.com> | |
| MASTER |
2014082206 |
powerdns=# select * from domainmetadata;
id |
domain_id | kind | content
----+-----------+----------------------+-----------------
1 | 1 | ALLOW-DNSUPDATE-FROM |172.16.100.0/24
<http://172.16.100.0/24>
3 | 1 | SOA-EDIT-DNSUPDATE | DEFAULT
9 | 1 | ALLOW-DNSUPDATE-FROM |127.0.0.1/32 <http://127.0.0.1/32>
14 | 1 | TSIG-ALLOW-DNSUPDATE | ddns_update
powerdns=# select * from tsigkeys;
id | name | algorithm | secret
----+-------------+---------------------------+--------------------------
1 | ddns_update | hmac-md5 | hdD/wdMScNJhp0Dgpm6q8Q==
2 | ddns_update |hmac-md5.sig-alg.reg.int
<http://hmac-md5.sig-alg.reg.int>. | hdD/wdMScNJhp0Dgpm6q8Q==
(I have tried with only one or the other of the above)
named.conf:
options {
directory "/var/cache/bind";
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
allow-recursion {172.16.100.0/24 <http://172.16.100.0/24>; };
};
key ddns_update {
algorithm hmac-md5;
secret "hdD/wdMScNJhp0Dgpm6q8Q==";
};
zone "example.com <http://example.com>" {
type slave;
file "slaves/example.com <http://example.com>.zone";
masters port 54 {127.0.0.1 <http://127.0.0.1>; };
allow-query { any; };
allow-update-forwarding { any; };
};
dhcpd.conf:
authoritative;
ddns-update-style interim;
ddns-updates on;
ignore client-updates;
update-static-leases on;
subnet172.16.100.0 <http://172.16.100.0> netmask255.255.255.0
<http://255.255.255.0> {
range172.16.100.5 <http://172.16.100.5> 172.16.100.127
<http://172.16.100.127>;
option domain-name-servers172.16.100.5 <http://172.16.100.5>;
option subnet-mask255.255.255.0 <http://255.255.255.0>;
option broadcast-address172.16.100.255 <http://172.16.100.255>;
option routers172.16.100.5 <http://172.16.100.5>;
option domain-name "example.com <http://example.com>";
}
key ddns_update {
algorithm hmac-md5;
secret "hdD/wdMScNJhp0Dgpm6q8Q==";
}
zoneexample.com <http://example.com>. {
primary127.0.0.1 <http://127.0.0.1>;
key ddns_update;
}
If I remove BIND from the equation and have dhcpd talk directly to
PowerDNS, everything goes fine, so it is something about forwarding that
is not working.
Any suggestions would be appreciated.
Thanks,
Martin
------------------------------------------------------------------------
Pdns-users mailing list
[email protected]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
Pdns-users mailing list
[email protected]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________
Pdns-users mailing list
[email protected]
http://mailman.powerdns.com/mailman/listinfo/pdns-users