1. Forum
  2. USENET
  3. comp.protocols.dns.bind

  • Cannot get nsupdate to work (for letsencrypt acme.sh client)

    From Brett Delmage@Brett@BrettDelmage.ca to bind-users on Tue Aug 4 18:44:56 2020
    From Newsgroup: comp.protocols.dns.bind

    I'm having a problem getting nsupdate to work, as shown below.

    (Despite reading the man pages I'm not 100% clear about the exact scope of
    the grant options and it may not be right. Examples would be helpful.)

    I generated the key:

    ddns-confgen -k acmesh-ottawatch. -z ottawatch.ca
    # To activate this key, place the following in named.conf, and
    # in a separate keyfile on the system or systems from which nsupdate
    # will be run:
    key "acmesh-ottawatch." {
    algorithm hmac-sha256;
    secret <deleted>;
    };

    - this is included in my named.conf
    My config file zone entry has the statements

    check-names warn;
    update-policy { grant ottawatch-acmesh. name _acme-challenge.ottawatch.ca. txt; };
    to permit the update and limit the scope.

    As I understand, I need check-names (warn | ignore) because
    _acme-challenge has an underscore. (How the heck did LE come up with an incompatible name?)


    Here's my nsupdate script:
    # cat test-acme

    server cacloud.ottawatch.ca
    zone ottawatch.ca
    debug
    update add _acme-challenge.ottawatch.ca. 999 TXT "test 1"
    send


    # nsupdate -k acmesh-ottawatch.ca test-acme

    Sending update to 2607:7b00:7200:1::281a:5de2#53
    Outgoing update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 42504
    ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
    ;; ZONE SECTION:
    ;ottawatch.ca. IN SOA

    ;; UPDATE SECTION:
    _acme-challenge.ottawatch.ca. 999 IN TXT "test 1"

    ;; TSIG PSEUDOSECTION:
    acmesh-ottawatch. 0 ANY TSIG hmac-sha256. 1596580550
    300 32 966kN1nqxXRP+smNYmqpGKUIepEV0gkuOVz42ywCY0g= 42504 NOERROR 0


    Reply from update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 42504
    ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
    ;; ZONE SECTION:
    ;ottawatch.ca. IN SOA

    ;; TSIG PSEUDOSECTION:
    acmesh-ottawatch. 0 ANY TSIG hmac-sha256. 1596580550
    300 32 eqUVlwgfwGnW0B7UX+WaB4mgqMgh9Aia/YauLRLa054= 42504 NOERROR 0

    Sending update to 2607:7b00:7200:1::281a:5de2#53
    Outgoing update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 32884
    ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
    ;; ZONE SECTION:
    ;ottawatch.ca. IN SOA

    ;; TSIG PSEUDOSECTION:
    acmesh-ottawatch. 0 ANY TSIG hmac-sha256. 1596580550
    300 32 M+Lr8IckyEVknrX+jHoDQYFrlGxzyQ/PYHX9WwpNBZw= 32884 NOERROR 0



    # dig _acme-challenge.ottawatch.ca. txt
    - the TXT RR has not been added

    ; <<>> DiG 9.16.5-Ubuntu <<>> _acme-challenge.ottawatch.ca. txt
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45640
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: f735fda5ecb94793010000005f29e1bed617055d59cb5d75 (good)
    ;; QUESTION SECTION:
    ;_acme-challenge.ottawatch.ca. IN TXT

    ;; AUTHORITY SECTION:
    ottawatch.ca. 900 IN SOA cacloud.ottawatch.ca. hostmaster.ottawatch.ca. 2020072912 900 180 2419200 900

    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Tue Aug 04 18:31:26 EDT 2020
    ;; MSG SIZE rcvd: 140


    What am I missing ort doing wrong, please?
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Mark Andrews@marka@isc.org to Brett Delmage on Wed Aug 5 10:33:26 2020
    From Newsgroup: comp.protocols.dns.bind

    Thanks for full details.
    Your key name usage is not consistent. acmesh-ottawatch != ottawatch-acmesh Why are you adding `check-names warn;`? check-names does NOT apply to TXT records.
    Mark
    On 5 Aug 2020, at 08:44, Brett Delmage <Brett@BrettDelmage.ca> wrote:

    I'm having a problem getting nsupdate to work, as shown below.

    (Despite reading the man pages I'm not 100% clear about the exact scope of the grant options and it may not be right. Examples would be helpful.)

    I generated the key:

    ddns-confgen -k acmesh-ottawatch. -z ottawatch.ca
    # To activate this key, place the following in named.conf, and
    # in a separate keyfile on the system or systems from which nsupdate
    # will be run:
    key "acmesh-ottawatch." {
    algorithm hmac-sha256;
    secret <deleted>;
    };

    - this is included in my named.conf
    My config file zone entry has the statements

    check-names warn;
    update-policy { grant ottawatch-acmesh. name _acme-challenge.ottawatch.ca. txt; };
    to permit the update and limit the scope.

    As I understand, I need check-names (warn | ignore) because _acme-challenge has an underscore. (How the heck did LE come up with an incompatible name?)


    Here's my nsupdate script:
    # cat test-acme

    server cacloud.ottawatch.ca
    zone ottawatch.ca
    debug
    update add _acme-challenge.ottawatch.ca. 999 TXT "test 1"
    send


    # nsupdate -k acmesh-ottawatch.ca test-acme

    Sending update to 2607:7b00:7200:1::281a:5de2#53
    Outgoing update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 42504
    ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
    ;; ZONE SECTION:
    ;ottawatch.ca. IN SOA

    ;; UPDATE SECTION:
    _acme-challenge.ottawatch.ca. 999 IN TXT "test 1"

    ;; TSIG PSEUDOSECTION:
    acmesh-ottawatch. 0 ANY TSIG hmac-sha256. 1596580550 300 32 966kN1nqxXRP+smNYmqpGKUIepEV0gkuOVz42ywCY0g= 42504 NOERROR 0


    Reply from update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 42504
    ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
    ;; ZONE SECTION:
    ;ottawatch.ca. IN SOA

    ;; TSIG PSEUDOSECTION:
    acmesh-ottawatch. 0 ANY TSIG hmac-sha256. 1596580550 300 32 eqUVlwgfwGnW0B7UX+WaB4mgqMgh9Aia/YauLRLa054= 42504 NOERROR 0

    Sending update to 2607:7b00:7200:1::281a:5de2#53
    Outgoing update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 32884
    ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
    ;; ZONE SECTION:
    ;ottawatch.ca. IN SOA

    ;; TSIG PSEUDOSECTION:
    acmesh-ottawatch. 0 ANY TSIG hmac-sha256. 1596580550 300 32 M+Lr8IckyEVknrX+jHoDQYFrlGxzyQ/PYHX9WwpNBZw= 32884 NOERROR 0



    # dig _acme-challenge.ottawatch.ca. txt
    - the TXT RR has not been added

    ; <<>> DiG 9.16.5-Ubuntu <<>> _acme-challenge.ottawatch.ca. txt
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45640
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: f735fda5ecb94793010000005f29e1bed617055d59cb5d75 (good)
    ;; QUESTION SECTION:
    ;_acme-challenge.ottawatch.ca. IN TXT

    ;; AUTHORITY SECTION:
    ottawatch.ca. 900 IN SOA cacloud.ottawatch.ca. hostmaster.ottawatch.ca. 2020072912 900 180 2419200 900

    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Tue Aug 04 18:31:26 EDT 2020
    ;; MSG SIZE rcvd: 140


    What am I missing ort doing wrong, please? _______________________________________________
    Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

    ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


    bind-users mailing list
    bind-users@lists.isc.org
    https://lists.isc.org/mailman/listinfo/bind-users
    --
    Mark Andrews, ISC
    1 Seymour St., Dundas Valley, NSW 2117, Australia
    PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Brett Delmage@Brett@BrettDelmage.ca to Mark Andrews on Wed Aug 5 12:21:01 2020
    From Newsgroup: comp.protocols.dns.bind

    On Wed, 5 Aug 2020, Mark Andrews wrote:

    If I use the example zone on that page *no* errors are reported.
    If I modify restarchitect.com to have a A record at _acme-challenge.restarchitect.com then errors will be reported.

    I certainly did get an error originally. I would not have found this
    page if I didn't have the error message to search for.

    After reviewing my command history I have concluded that it is possible
    that I originally tested with an A, not TXT record, thusa causing the
    error. Then I switched it, unaware of the difference to check-names.

    Thanks for the in-depth 'proof'. I have removed check-names now and it
    works as it should.

    Brett


    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Mark Andrews@marka@isc.org to Brett Delmage on Thu Aug 6 08:17:11 2020
    From Newsgroup: comp.protocols.dns.bind

    Unfortunately comments section on that page doesnrCOt work. You press preview and you get a error response back.
    On 6 Aug 2020, at 02:21, Brett Delmage <Brett@BrettDelmage.ca> wrote:

    On Wed, 5 Aug 2020, Mark Andrews wrote:

    If I use the example zone on that page *no* errors are reported.
    If I modify restarchitect.com to have a A record at _acme-challenge.restarchitect.com then errors will be reported.

    I certainly did get an error originally. I would not have found this page if I didn't have the error message to search for.

    After reviewing my command history I have concluded that it is possible that I originally tested with an A, not TXT record, thusa causing the error. Then I switched it, unaware of the difference to check-names.

    Thanks for the in-depth 'proof'. I have removed check-names now and it
    works as it should.

    Brett


    --
    Mark Andrews, ISC
    1 Seymour St., Dundas Valley, NSW 2117, Australia
    PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
    --- Synchronet 3.21d-Linux NewsLink 1.2