Re: [Pdns-users] dns update across dnsdist

2020-02-11 Thread Remi Gacogne via Pdns-users 
On 2/11/20 12:39 PM, Marc Boisis via Pdns-users wrote:
> My dnsdist version is 1.3.3 and authoritative is 4.2.0

Thanks!

> I've found a diff with wireshark, before dnsdist I have just one
> aditional record containing the TSIG
> after dnsdist I have two additional records (TSIG and OPT with client
> subnet)

OK, so it looks like dnsdist is adding an OPT record with an EDNS Client
Subnet (in the wrong place, but that's a known issue that has only been
fixed recently, see [1]).
I'm also surprised that the authoritative server accepts such a DNS
packet where the TSIG record is not the last one, but let's forget that
for now.

> I try "newServer({address='127.0.0.1:5300', pool='auth-update',
> useClientSubnet=false })" or "newServer({address='127.0.0.1:5300',
> pool='auth-update', useClientSubnet=true })" but the result is the same.

Would you mind pasting your whole configuration? dnsdist doesn't add ECS
by default, so something in your configuration must be enabling ECS
addition somehow.

[1]: https://github.com/PowerDNS/pdns/issues/8098

Best regards,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/



signature.asc
Description: OpenPGP digital signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] dns update across dnsdist

2020-02-11 Thread Marc Boisis via Pdns-users 
Hi Remi,
My dnsdist version is 1.3.3 and authoritative is 4.2.0

I've found a diff with wireshark, before dnsdist I have just one aditional 
record containing the TSIG
after dnsdist I have two additional records (TSIG and OPT with client subnet)

I try "newServer({address='127.0.0.1:5300', pool='auth-update', 
useClientSubnet=false })" or "newServer({address='127.0.0.1:5300', 
pool='auth-update', useClientSubnet=true })" but the result is the same.


before dnsdist:
Domain Name System (query)
Transaction ID: 0xdb4c
Flags: 0x2800 Dynamic update
0...    = Response: Message is a query
.010 1...   = Opcode: Dynamic update (5)
 ..0.   = Truncated: Message is not truncated
 ...0   = Recursion desired: Don't do query recursively
  .0..  = Z: reserved (0)
  ...0  = Non-authenticated data: Unacceptable
Zones: 1
Prerequisites: 1
Updates: 2
Additional RRs: 1
Zone
univ-lr.fr: type SOA, class IN
Name: univ-lr.fr
[Name Length: 10]
[Label Count: 2]
Type: SOA (Start Of a zone of Authority) (6)
Class: IN (0x0001)
Prerequisites
u-bionic-2-5003.univ-lr.fr: type ANY, class NONE
Name: u-bionic-2-5003.univ-lr.fr
Type: * (A request for all records the server/cache has available) (255)
Class: NONE (0x00fe)
Time to live: 0 (0 seconds)
Data length: 0
Updates
u-bionic-2-5003.univ-lr.fr: type A, class IN, addr 10.2.154.237
Name: u-bionic-2-5003.univ-lr.fr
Type: A (Host Address) (1)
Class: IN (0x0001)
Time to live: 3600 (1 hour)
Data length: 4
Address: 10.2.154.237
u-bionic-2-5003.univ-lr.fr: type DHCID, class IN
Name: u-bionic-2-5003.univ-lr.fr
Type: DHCID (49)
Class: IN (0x0001)
Time to live: 3600 (1 hour)
Data length: 35
DHCID Data: 01a719b0b167ca71adf4b02ed05693d7d8dec38e29a6…
Additional records
bean-dhcp: type TSIG, class ANY
Name: bean-dhcp
Type: TSIG (Transaction Signature) (250)
Class: ANY (0x00ff)
Time to live: 0 (0 seconds)
Data length: 58
Algorithm Name: hmac-md5.sig-alg.reg.int
Time Signed: Feb 11, 2020 11:55:51.0 CET
Fudge: 300
MAC Size: 16
MAC
[Expert Info (Warning/Undecoded): No dissector for 
algorithm:hmac-md5.sig-alg.reg.int]
[No dissector for algorithm:hmac-md5.sig-alg.reg.int]
[Severity level: Warning]
[Group: Undecoded]
Original Id: 56140
Error: No error (0)
Other Len: 0
-

after dnsdist

Domain Name System (query)
Transaction ID: 0x8808
Flags: 0x2800 Dynamic update
0...    = Response: Message is a query
.010 1...   = Opcode: Dynamic update (5)
 ..0.   = Truncated: Message is not truncated
 ...0   = Recursion desired: Don't do query recursively
  .0..  = Z: reserved (0)
  ...0  = Non-authenticated data: Unacceptable
Zones: 1
Prerequisites: 1
Updates: 2
Additional RRs: 2
Zone
univ-lr.fr: type SOA, class IN
Name: univ-lr.fr
[Name Length: 10]
[Label Count: 2]
Type: SOA (Start Of a zone of Authority) (6)
Class: IN (0x0001)
Prerequisites
u-bionic-2-5003.univ-lr.fr: type ANY, class NONE
Name: u-bionic-2-5003.univ-lr.fr
Type: * (A request for all records the server/cache has available) (255)
Class: NONE (0x00fe)
Time to live: 0 (0 seconds)
Data length: 0
Updates
u-bionic-2-5003.univ-lr.fr: type A, class IN, addr 10.2.154.237
Name: u-bionic-2-5003.univ-lr.fr
Type: A (Host Address) (1)
Class: IN (0x0001)
Time to live: 3600 (1 hour)
Data length: 4
Address: 10.2.154.237
u-bionic-2-5003.univ-lr.fr: type DHCID, class IN
Name: u-bionic-2-5003.univ-lr.fr
Type: DHCID (49)
Class: IN (0x0001)
Time to live: 3600 (1 hour)
Data length: 35
DHCID Data: 01a719b0b167ca71adf4b02ed05693d7d8dec38e29a6…
Additional records
bean-dhcp: type TSIG, class ANY
Name: bean-dhcp
Type: TSIG (Transaction Signature) (250)
Class: ANY (0x00ff)
Time to live: 0 (0 seconds)
Data length: 58
Algorithm Name: hmac-md5.sig-alg.reg.int
Time Signed: Feb 11, 2020 11:55:51.0 CET
Fudge: 300
MAC Size: 16
MAC
[Expert Info (Warning/Undecoded): No dissector for 
algorithm:hmac-md5.sig-alg.reg.int]
[No dissector for algorithm:hmac-md5.sig-alg.reg.int]
[Severity level: Warning]
[Group: Undecoded]
Original Id: 56140
Error: No error (0)
Other Len: 0
: type OPT
Name: 
Type: OPT (41)
UDP payload size: 512
Higher bits in extended RCODE: 0x00
EDNS0 version: 0
Z: 0x
0...    = DO bit: Cannot handle DNSSEC security RRs
.000    = Reserved: 0x
Data length: 12
Option: CSUBNET - Client subnet
Option Code: CSUBNET - Client subnet (8)
Option Length: 8
Option Data: 00012a011e18
Family: IPv4 (1)
Source Netmask: 32
Scope Netmask: 0
Client Subnet: 10.1.30.24







On 11 Feb 2020 at 11:33 +0100, Remi Gacogne via Pdns-users , wrote:
> Hi Marc,
>
> On 2/10/20 10:42 PM, Marc Boisis via Pdns-users wrote:
> > Here is my config:
> > [isc-dhcp] dns update>[dnsdist--->pdns authoritative]
> > the isc dhcp server(v4.4.2) send a dns update query with a tsig
> > key(hmac-md5). (I see it with tcpdump/wireshark).
> > When the authoritative get the request, it said : "UPDATE (9470) from
> >

Re: [Pdns-users] dns update across dnsdist

2020-02-11 Thread Remi Gacogne via Pdns-users 
Hi Marc,

On 2/10/20 10:42 PM, Marc Boisis via Pdns-users wrote:
> Here is my config:
> [isc-dhcp] dns update>[dnsdist--->pdns authoritative]
> the isc dhcp server(v4.4.2) send a dns update query with a tsig
> key(hmac-md5). (I see it with tcpdump/wireshark).
> When the authoritative get the request, it said : "UPDATE (9470) from
> 127.0.0.1 for my-domain.com: TSIG key required, but packet does not
> contain key. Sending REFUSED"
> 
> my dnsdist config is:
> 
> |newServer({address='127.0.0.1:5300', pool='auth'})
> addAction(OpcodeRule(DNSOpcode.Update), PoolAction("auth") ) |
> 
> my authoritative config:
> 
> |allow-dnsupdate-from=127.0.0.0/8 dnsupdate=yes |
> 
> I miss something  ?

Would you mind sharing the exact versions of dnsdist and PowerDNS
authoritative server you are using?

Did you try capturing the packet leaving dnsdist toward the
authoritative server to confirm that the TSIG key is still there? Your
configuration does not require the addition of EDNS Client Subnet so
dnsdist shouldn't be altering the packet at all, but it would be nice to
know what the authoritative server actually receives.

Best regards,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/



signature.asc
Description: OpenPGP digital signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users