Re: Bind forgets my changes with nsupdate
201907-b...@planhack.com wrote:
>> My solution is not to mix dynamic update with other access. Instead,
>> I put in CNAMEs in the signed zone to a sub-zone (or other zone) where
>> I do exclusive dynamic update. This isn't perfect, but it works well
>> enough to allow dns-01 (certbot/LetsEncrypt) to be able to refresh my
>> certificates.
> Not perfect? What issues did you see? Thanks!
a) there are still a number of situations where systems do not follow CNAMEs
when
they should. Particularly relating to RFC2317 reverse delegations.
b) using a second zones introduces additional possibilities for DNSSEC to be
broken.
c) cruft accumulates in the second zone, and some of it does not get deleted.
d) updates to secondaries sometimes take longer than certbot is able to cope
with.
("up-arrow-return" solves the problem if interactive. Cron running a week
later usually works)
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works| network architect [
] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[
signature.asc
Description: PGP signature
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind forgets my changes with nsupdate
Paul van der Vlis via bind-users wrote: > But how could I refresh the key without loosing the IP? I was in a similar situation. I managed my zone files mostly manually, but a few records needed to be updated automatically. Either manual changes would obliterate automatically updated records, as you found, or else automatic updates would cause Bind to rearrange the zone files and lose all comments, making manual editing much harder. I have arrived at what I think is a working solution. I'm still monitoring to see how it works. I now make all changes through dynamic updates (like with nsupdate), using different TSIG keys with different privileges in update-policy. Signing and key rotation are handled automatically by Bind, using dnssec-policy. I use nsdiff (https://dotat.at/prog/nsdiff/) and nsupdate to apply manual changes. That way I still have hand-written zone files with comments, so I can keep an overview, but Bind never sees them. The zone files that Bind uses are managed by Bind and don't need to be easy to read. I have a wrapper script that calls nsdiff to compare each hand- written zone file to the corresponding zone on the server, specifying a pattern with -i to tell nsdiff which records are managed in other ways. The wrapper then displays the changes, asks for approval, and then applies the changes through nsupdate. My TSIG key for manual changes, which has much greater privileges than the keys for specific automatic updates, is stored in an encrypted keyring managed with Pass (https://www.passwordstore.org/). My wrapper requests the key from Pass – which requires me to type the master passphrase – and passes it to nsdiff and to nsupdate using pipes so that the decrypted key is never written to even a temporary file. I found that inline-signing breaks nsdiff. I recommend an explicit "inline-signing no;" in each zone to prevent problems. Bind will then not keep an unsigned version of the zone, and it doesn't need to when all changes are made through dynamic updates. Björn Persson pgpZuA42cOsQH.pgp Description: OpenPGP digital signatur -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind forgets my changes with nsupdate
> My solution is not to mix dynamic update with other access. > Instead, I put in CNAMEs in the signed zone to a sub-zone (or other zone) > where I do exclusive dynamic update. This isn't perfect, but it works > well enough to allow dns-01 (certbot/LetsEncrypt) to be able to refresh my > certificates. Not perfect? What issues did you see? Thanks! -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind forgets my changes with nsupdate
In general, you don't want to mix dynamic update zones with ones that you want to edit by hand. I see that you are doing manual DNSSEC signing in your cron job. Your choices are: a) do everything with dynamic update, and turn on automatic DNSSEC management in bind9. b) do your DNSSEC signing inline. I blogged poorly about my setup: https://www.sandelman.ca/mcr/blog/sysadmin/bind9-dnssec-formula/ c) a mix of the above. My solution is not to mix dynamic update with other access. Instead, I put in CNAMEs in the signed zone to a sub-zone (or other zone) where I do exclusive dynamic update. This isn't perfect, but it works well enough to allow dns-01 (certbot/LetsEncrypt) to be able to refresh my certificates. signature.asc Description: PGP signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind forgets my changes with nsupdate
Just configure named to sign the zone. -- Mark Andrews > On 6 Oct 2023, at 22:30, Paul van der Vlis wrote: > > Op 06-10-2023 om 10:39 schreef Mark Andrews: >> You need to figure out what is updating the zone. This isn’t named. > > Thanks for your answer. > It makes me find the reason. See my other message. > > With regards, > Paul > > > -- > Paul van der Vlis Linux systeembeheer Groningen > https://vandervlis.nl/ -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind forgets my changes with nsupdate
Op 06-10-2023 om 10:39 schreef Mark Andrews: You need to figure out what is updating the zone. This isn’t named. Thanks for your answer. It makes me find the reason. See my other message. With regards, Paul -- Paul van der Vlis Linux systeembeheer Groningen https://vandervlis.nl/ -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind forgets my changes with nsupdate
Op 06-10-2023 om 10:28 schreef Paul van der Vlis via bind-users:
Hello,
I try to give a dynamic IP to a name, using nsupdate. This works fine,
but after some hours the IP is gone from the master (which I update).
Something like this:
Host home.customer.nl not found: 3(NXDOMAIN)
The IP is then still available from the slaves, what gets it from the
master.
I do something like this to give the IP, using a script:
root@server:~# /usr/bin/nsupdate -k /etc/customer.key
> server ns1.vandervlis.nl
> zone customer.nl.
> update delete home.customer.nl.
> update add home.customer.nl. 3600 A 1.2.3.4
> send
> quit
I don't see anything about the removal in the logs. But I saw a "freeze"
and a "thaw" in the logs for the domain.
Any idea why the IP removes after some time?
Hmm, I see I have cronjob what causes this problem:
-
# change serial
SERIAL=`named-checkzone $domain $domain | egrep -ho '[0-9]{10}'`
sed -i 's/'$SERIAL'/'$(($SERIAL+1))'/' $domain
# sign zone
rndc freeze $domain
dnssec-signzone -S -K /etc/bind/keys/ -g -a -o $domain $domain
rndc reload $domain
rndc thaw $domain
-
But how could I refresh the key without loosing the IP?
With regards,
Paul
--
Paul van der Vlis Linux systeembeheer Groningen
https://vandervlis.nl/
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind forgets my changes with nsupdate
You need to figure out what is updating the zone. This isn’t named. -- Mark Andrews > On 6 Oct 2023, at 19:28, Paul van der Vlis via bind-users > wrote: > > Hello, > > I try to give a dynamic IP to a name, using nsupdate. This works fine, but > after some hours the IP is gone from the master (which I update). > > Something like this: > Host home.customer.nl not found: 3(NXDOMAIN) > > The IP is then still available from the slaves, what gets it from the master. > > I do something like this to give the IP, using a script: > > root@server:~# /usr/bin/nsupdate -k /etc/customer.key > > server ns1.vandervlis.nl > > zone customer.nl. > > update delete home.customer.nl. > > update add home.customer.nl. 3600 A 1.2.3.4 > > send > > quit > > I don't see anything about the removal in the logs. But I saw a "freeze" and > a "thaw" in the logs for the domain. > > Any idea why the IP removes after some time? > > With regards, > Paul van der Vlis > > > > -- > Paul van der Vlis Linux systeembeheer Groningen > https://vandervlis.nl/ > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
