TSIG with DDNS and BIND's allow-update-forwarding -PDNS 3.4.7.

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

TSIG with DDNS and BIND's allow-update-forwarding -PDNS 3.4.7.

ciphernix
Am I doing something wrong? Or this a bug ?

This issue was also reported for 3.4-rc1. I've decided to open a new mail thread for awareness.

I would like to use powerdns as a hidden master and BIND as the secondary/slave server.

I send TSIG signed dynamic update requests via the nsupdate utility to the slave server (BIND). The BIND server forwards the request to PDNS. This seems to be working - PDNS receives the request and validates the TSIG key sent by nsupdate, it also makes the requested dynamic update. However, there seems to be an issue with the PowerDNS TSIG response. Nsupdate reports an invalid tsig response ('TSIG error with server: tsig verify failure'). I also have the same issue if I use dnspython library.

This seems to be an issue with powerDNS. If I use BIND as both master and slave I do not get the same TSIG error.


Pdns-3.4.7 was compiled under RHEL 6 with a MYSQL backend.

The PDNS server is configured as a hidden master and listening on port 5353.

select * from domains where id=8;
+----+---------------------+--------+------------+--------+-----------------+---------+
| id | name                | master | last_check | type   | notified_serial | account |
+----+---------------------+--------+------------+--------+-----------------+---------+
|  8 | dyntest.example.com | NULL   |       NULL | MASTER |      2015111209 | NULL    |
+----+---------------------+--------+------------+--------+-----------------+---------+

 select * from domainmetadata where domain_id=8;
+----+-----------+----------------------+---------------------+
| id | domain_id | kind                 | content             |
+----+-----------+----------------------+---------------------+
| 16 |         8 | ALLOW-DNSUPDATE-FROM | 0.0.0.0/0           |
| 18 |         8 | SOA-EDIT-API         | INCEPTION-INCREMENT |
| 20 |         8 | TSIG-ALLOW-DNSUPDATE | test                |
+----+-----------+----------------------+---------------------+


select * from tsigkeys where name = 'test';
+----+------+-----------+----------------------------------------------+
| id | name | algorithm | secret                                       |
+----+------+-----------+----------------------------------------------+
|  1 | test | hmac-md5  | kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys= |
+----+------+-----------+----------------------------------------------+


I'm using ISC BIND 9.9.8 as a slave server and allow dynamic dns update forwarding using BIND's 'allow-update-forwarding' option. The BIND server is listening port 53.
zone "dyntest.example.com" {
    type slave;
    masters port 5353 {127.0.0.1; };
    allow-update-forwarding {any; };
    file "dyntest.example.com";
};

When I try to use nsupdate 9.9.8 and tsig to dynamically update zone dyntest.example.com against the slave server  I get a 'TSIG error with server: tsig verify failure'. However, the zone is still update by PDNS. If I try to update directly against the PDNS server I get no TSIG warning. If I use a BIND server as hidden master I do not have this issue. I would really like to use PDNS as the hidden server. If there a fix for this issue.

Here is nsupdate in debug mode:

nsupdate -D
> server 127.0.0.1
> zone dyntest.example.com
> key test kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=
> update add test3.dyntest.example.com 300 A 127.0.0.3
> send
Sending update to 127.0.0.1#53
show_message()
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:   3658
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;dyntest.example.com.  IN SOA

;; UPDATE SECTION:
test3.dyntest.example.com. 300 IN A 127.0.0.3

;; TSIG PSEUDOSECTION:
test.     0 ANY TSIG hmac-md5.sig-alg.reg.int. 1447704112 300 16 wRvtZ+cN2MZpX972ZB3XxA== 3658 NOERROR 0

update_completed()
; TSIG error with server: tsig verify failure
show_message()

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:   3658
;; flags: qr aa; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;dyntest.example.com.  IN SOA

;; TSIG PSEUDOSECTION:
test.     0 ANY TSIG hmac-md5.sig-alg.reg.int. 1447704112 300 16 tkLudfZeOBVGca1ytzuO4A== 3658 NOERROR 0


PDNS log:
pdns[514]: UPDATE (28984) from 127.0.0.1 for dyntest.example.com: Processing started.
pdns[514]: Query: select content from domains, domainmetadata where domainmetadata.domain_id=domains.id and name='dyntest.example.com' and domainmetadata.kind='ALLOW-DNSUPDATE-FROM'
pdns[514]: Query: select content from domains, domainmetadata where domainmetadata.domain_id=domains.id and name='dyntest.example.com' and domainmetadata.kind='TSIG-ALLOW-DNSUPDATE'
pdns[514]: Query: select id,name,master,last_check,notified_serial,type,account from domains where name='dyntest.example.com'
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
pdns[514]: UPDATE (28984) from 127.0.0.1 for dyntest.example.com: starting transaction.
pdns[514]: Query: begin
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and type='A' and name='test3.dyntest.example.com'
pdns[514]: UPDATE (28984) from 127.0.0.1 for dyntest.example.com: Adding record test3.dyntest.example.com|A
pdns[514]: Query: insert into records (content,ttl,prio,type,domain_id,disabled,name,auth) values ('127.0.0.3',300,0,'A',8,0,'test3.dyntest.example.com','1')
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and name='test3.dyntest.example.com'
pdns[514]: Query: delete from records where domain_id='8' and name='test3.dyntest.example.com' and type is null
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
pdns[514]: Query: select content from domains, domainmetadata where domainmetadata.domain_id=domains.id and name='dyntest.example.com' and domainmetadata.kind='SOA-EDIT-DNSUPDATE'
pdns[514]: Query: delete from records where domain_id=8 and name='dyntest.example.com' and type='SOA'
pdns[514]: Query: insert into records (content,ttl,prio,type,domain_id,disabled,name,auth) values ('ns1.dyntest.example.com hostmaster.dyntest.example.com 2015111605 600 900 604800 300',3600,0,'SOA',8,0,'dyntest.example.com','1')
pdns[514]: UPDATE (28984) from 127.0.0.1 for dyntest.example.com: Increasing SOA serial (2015111604 -> 2015111605)
pdns[514]: Query: commit
pdns[514]: UPDATE (28984) from 127.0.0.1 for dyntest.example.com: Update completed, 2 changed records committed.
pdns[514]: Query: select id,name,master,last_check,type from domains where type='SLAVE'
pdns[514]: Query: select id,name,master,last_check,notified_serial,type from domains where type='MASTER'
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
pdns[514]: 1 domain for which we are master needs notifications
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and type='NS' and name='dyntest.example.com'
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and name='ns1.dyntest.example.com'
pdns[514]: Queued notification of domain 'dyntest.example.com' to 127.0.0.1:53
pdns[514]: Query: select content from domains, domainmetadata where domainmetadata.domain_id=domains.id and name='dyntest.example.com' and domainmetadata.kind='ALSO-NOTIFY'
pdns[514]: Queued also-notification of domain 'dyntest.example.com' to 127.0.0.1:53
pdns[514]: Query: update domains set notified_serial=2015111605 where id=8
pdns[514]: Remote 127.0.0.1 wants 'dyntest.example.com|SOA', do = 0, bufsize = 1680: packetcache MISS
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
pdns[514]: Query: select content from domains, domainmetadata where domainmetadata.domain_id=domains.id and name='dyntest.example.com' and domainmetadata.kind='SOA-EDIT'
pdns[514]: IXFR of domain 'dyntest.example.com' initiated by 127.0.0.1 with serial 2015111604
pdns[514]: AXFR of domain 'dyntest.example.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
pdns[514]: Query: select content from domains, domainmetadata where domainmetadata.domain_id=domains.id and name='dyntest.example.com' and domainmetadata.kind='SOA-EDIT'
pdns[514]: IXFR fallback to AXFR for domain 'dyntest.example.com' our serial 2015111605
pdns[514]: AXFR of domain 'dyntest.example.com' initiated by 127.0.0.1
pdns[514]: AXFR of domain 'dyntest.example.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
pdns[514]: Query: select content from domains, domainmetadata where domainmetadata.domain_id=domains.id and name='dyntest.example.com' and domainmetadata.kind='SOA-EDIT'
pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE (disabled=0 OR 0) and domain_id='8' order by name, type
pdns[514]: AXFR of domain 'dyntest.example.com' to 127.0.0.1 finished
pdns[514]: Removed from notification list: 'dyntest.example.com' to 127.0.0.1:53 (was acknowledged)
Reply | Threaded
Open this post in threaded view
|

Re: TSIG with DDNS and BIND's allow-update-forwarding -PDNS 3.4.7.

Ruben d'Arco-2
Hi,

Can you maybe report this into a github issue, so it doesn't get forgotten?

Being one of the contributers that helped implement this, i really want to have a
look and try the same scenario locally and if reproducable, fix it.
But my time is very limited at the moment. The chrismas holiday should help :)

Regards,
        Ruben


On Tue, Nov 17, 2015 at 10:27:22AM -0700, ciphernix wrote:

> Am I doing something wrong? Or this a bug ?
>
> This issue was also reported for 3.4-rc1. I've decided to open a new mail
> thread for awareness.
>
> I would like to use powerdns as a hidden master and BIND as the
> secondary/slave server.
>
> I send TSIG signed dynamic update requests via the nsupdate utility to the
> slave server (BIND). The BIND server forwards the request to PDNS. This
> seems to be working - PDNS receives the request and validates the TSIG key
> sent by nsupdate, it also makes the requested dynamic update. However, there
> seems to be an issue with the PowerDNS TSIG response. Nsupdate reports an
> invalid tsig response ('TSIG error with server: tsig verify failure'). I
> also have the same issue if I use dnspython library.
>
> This seems to be an issue with powerDNS. If I use BIND as both master and
> slave I do not get the same TSIG error.
>
>
> Pdns-3.4.7 was compiled under RHEL 6 with a MYSQL backend.
>
> The PDNS server is configured as a hidden master and listening on port 5353.
>
> select * from domains where id=8;
> +----+---------------------+--------+------------+--------+-----------------+---------+
> | id | name                | master | last_check | type   | notified_serial
> | account |
> +----+---------------------+--------+------------+--------+-----------------+---------+
> |  8 | dyntest.example.com | NULL   |       NULL | MASTER |      2015111209
> | NULL    |
> +----+---------------------+--------+------------+--------+-----------------+---------+
>
>  select * from domainmetadata where domain_id=8;
> +----+-----------+----------------------+---------------------+
> | id | domain_id | kind                 | content             |
> +----+-----------+----------------------+---------------------+
> | 16 |         8 | ALLOW-DNSUPDATE-FROM | 0.0.0.0/0           |
> | 18 |         8 | SOA-EDIT-API         | INCEPTION-INCREMENT |
> | 20 |         8 | TSIG-ALLOW-DNSUPDATE | test                |
> +----+-----------+----------------------+---------------------+
>
>
> select * from tsigkeys where name = 'test';
> +----+------+-----------+----------------------------------------------+
> | id | name | algorithm | secret                                       |
> +----+------+-----------+----------------------------------------------+
> |  1 | test | hmac-md5  | kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys= |
> +----+------+-----------+----------------------------------------------+
>
>
> I'm using ISC BIND 9.9.8 as a slave server and allow dynamic dns update
> forwarding using BIND's 'allow-update-forwarding' option. The BIND server is
> listening port 53.
> zone "dyntest.example.com" {
>     type slave;
>     masters port 5353 {127.0.0.1; };
>     allow-update-forwarding {any; };
>     file "dyntest.example.com";
> };
>
> When I try to use nsupdate 9.9.8 and tsig to dynamically update zone
> dyntest.example.com against the slave server  I get a 'TSIG error with
> server: tsig verify failure'. However, the zone is still update by PDNS. If
> I try to update directly against the PDNS server I get no TSIG warning. If I
> use a BIND server as hidden master I do not have this issue. I would really
> like to use PDNS as the hidden server. If there a fix for this issue.
>
> Here is nsupdate in debug mode:
>
> nsupdate -D
> > server 127.0.0.1
> > zone dyntest.example.com
> > key test kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=
> > update add test3.dyntest.example.com 300 A 127.0.0.3
> > send
> Sending update to 127.0.0.1#53
> show_message()
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:   3658
> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
> ;; ZONE SECTION:
> ;dyntest.example.com.  IN SOA
>
> ;; UPDATE SECTION:
> test3.dyntest.example.com. 300 IN A 127.0.0.3
>
> ;; TSIG PSEUDOSECTION:
> test.     0 ANY TSIG hmac-md5.sig-alg.reg.int. 1447704112 300 16
> wRvtZ+cN2MZpX972ZB3XxA== 3658 NOERROR 0
>
> update_completed()
> ; TSIG error with server: tsig verify failure
> show_message()
>
> Reply from update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:   3658
> ;; flags: qr aa; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
> ;; ZONE SECTION:
> ;dyntest.example.com.  IN SOA
>
> ;; TSIG PSEUDOSECTION:
> test.     0 ANY TSIG hmac-md5.sig-alg.reg.int. 1447704112 300 16
> tkLudfZeOBVGca1ytzuO4A== 3658 NOERROR 0
>
>
> PDNS log:
> pdns[514]: UPDATE (28984) from 127.0.0.1 for dyntest.example.com: Processing
> started.
> pdns[514]: Query: select content from domains, domainmetadata where
> domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
> domainmetadata.kind='ALLOW-DNSUPDATE-FROM'
> pdns[514]: Query: select content from domains, domainmetadata where
> domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
> domainmetadata.kind='TSIG-ALLOW-DNSUPDATE'
> pdns[514]: Query: select
> id,name,master,last_check,notified_serial,type,account from domains where
> name='dyntest.example.com'
> pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
> FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
> pdns[514]: UPDATE (28984) from 127.0.0.1 for dyntest.example.com: starting
> transaction.
> pdns[514]: Query: begin
> pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
> FROM records WHERE disabled=0 and type='A' and
> name='test3.dyntest.example.com'
> pdns[514]: UPDATE (28984) from 127.0.0.1 for dyntest.example.com: Adding
> record test3.dyntest.example.com|A
> pdns[514]: Query: insert into records
> (content,ttl,prio,type,domain_id,disabled,name,auth) values
> ('127.0.0.3',300,0,'A',8,0,'test3.dyntest.example.com','1')
> pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
> FROM records WHERE disabled=0 and name='test3.dyntest.example.com'
> pdns[514]: Query: delete from records where domain_id='8' and
> name='test3.dyntest.example.com' and type is null
> pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
> FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
> pdns[514]: Query: select content from domains, domainmetadata where
> domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
> domainmetadata.kind='SOA-EDIT-DNSUPDATE'
> pdns[514]: Query: delete from records where domain_id=8 and
> name='dyntest.example.com' and type='SOA'
> pdns[514]: Query: insert into records
> (content,ttl,prio,type,domain_id,disabled,name,auth) values
> ('ns1.dyntest.example.com hostmaster.dyntest.example.com 2015111605 600 900
> 604800 300',3600,0,'SOA',8,0,'dyntest.example.com','1')
> pdns[514]: UPDATE (28984) from 127.0.0.1 for dyntest.example.com: Increasing
> SOA serial (2015111604 -> 2015111605)
> pdns[514]: Query: commit
> pdns[514]: UPDATE (28984) from 127.0.0.1 for dyntest.example.com: Update
> completed, 2 changed records committed.
> pdns[514]: Query: select id,name,master,last_check,type from domains where
> type='SLAVE'
> pdns[514]: Query: select id,name,master,last_check,notified_serial,type from
> domains where type='MASTER'
> pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
> FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
> pdns[514]: 1 domain for which we are master needs notifications
> pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
> FROM records WHERE disabled=0 and type='NS' and name='dyntest.example.com'
> pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
> FROM records WHERE disabled=0 and name='ns1.dyntest.example.com'
> pdns[514]: Queued notification of domain 'dyntest.example.com' to
> 127.0.0.1:53
> pdns[514]: Query: select content from domains, domainmetadata where
> domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
> domainmetadata.kind='ALSO-NOTIFY'
> pdns[514]: Queued also-notification of domain 'dyntest.example.com' to
> 127.0.0.1:53
> pdns[514]: Query: update domains set notified_serial=2015111605 where id=8
> pdns[514]: Remote 127.0.0.1 wants 'dyntest.example.com|SOA', do = 0, bufsize
> = 1680: packetcache MISS
> pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
> FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
> pdns[514]: Query: select content from domains, domainmetadata where
> domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
> domainmetadata.kind='SOA-EDIT'
> pdns[514]: IXFR of domain 'dyntest.example.com' initiated by 127.0.0.1 with
> serial 2015111604
> pdns[514]: AXFR of domain 'dyntest.example.com' allowed: client IP 127.0.0.1
> is in allow-axfr-ips
> pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
> FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
> pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
> FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
> pdns[514]: Query: select content from domains, domainmetadata where
> domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
> domainmetadata.kind='SOA-EDIT'
> pdns[514]: IXFR fallback to AXFR for domain 'dyntest.example.com' our serial
> 2015111605
> pdns[514]: AXFR of domain 'dyntest.example.com' initiated by 127.0.0.1
> pdns[514]: AXFR of domain 'dyntest.example.com' allowed: client IP 127.0.0.1
> is in allow-axfr-ips
> pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
> FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
> pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
> FROM records WHERE disabled=0 and type='SOA' and name='dyntest.example.com'
> pdns[514]: Query: select content from domains, domainmetadata where
> domainmetadata.domain_id=domains.id and name='dyntest.example.com' and
> domainmetadata.kind='SOA-EDIT'
> pdns[514]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth
> FROM records WHERE (disabled=0 OR 0) and domain_id='8' order by name, type
> pdns[514]: AXFR of domain 'dyntest.example.com' to 127.0.0.1 finished
> pdns[514]: Removed from notification list: 'dyntest.example.com' to
> 127.0.0.1:53 (was acknowledged)
>
>
>
>
> --
> View this message in context: http://powerdns.13854.n7.nabble.com/TSIG-with-DDNS-and-BIND-s-allow-update-forwarding-PDNS-3-4-7-tp11899.html
> Sent from the PowerDNS mailing list archive at Nabble.com.
>
> _______________________________________________
> Pdns-users mailing list
> [hidden email]
> http://mailman.powerdns.com/mailman/listinfo/pdns-users

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: TSIG with DDNS and BIND's allow-update-forwarding -PDNS 3.4.7.

ciphernix
Hi Ruben,

Thanks for your reply. I've raised issue 2911 on github.

Thank you