'succesful' nsupdate of remote server not persistent across nameserver restart?
Mark Andrews
marka at isc.org
Sun Apr 24 22:43:26 UTC 2016
In message <20160424222541.GB22481 at harrier.slackbuilds.org>, /dev/rob0 writes:
> On Sun, Apr 24, 2016 at 12:04:15PM -0700, jasonsu at mail-central.com wrote:
> > I'm doing an nsupdate to a remote server from my desktop
> >
> > cat nsupdate.txt
> > server ns01.example.com
> > debug yes
> > zone example.net.
> > update add test.example.net. 500 in TXT "TEST STRING"
> > show
> > send
> >
> > nsupdate -k ./jason-key ./nsupdate.txt
> >
> > On the nameserver, logs show what appears to be 'success',
> >
> > Apr 24 11:47:07 ns01 named[23053]: 24-Apr-2016 11:47:07.949 update-secu
> rity: info: client 10.0.0.17#4218/key jason-key: view internal: signer "jason
> -key" approved
> > Apr 24 11:47:08 ns01 named[23053]: 24-Apr-2016 11:47:07.949 update: inf
> o: client 10.0.0.17#4218/key jason-key: view internal: updating zone 'example
> .net/IN': adding an RR at 'test.example.net' TXT "TEST STRING"
> >
> > checking with dig, it's NOT in 'TXT' where I expected it
> >
> > dig TXT example.net +short
> > (empty)
>
> As Anand pointed out, you were wrong to expect it there. That's a
> part of the mystery solved.
>
> > instead it's in 'AXFR'
> >
> > dig AXFR example.net
> >
> > ; <<>> DiG 9.10.3-P4 <<>> AXFR example.net
> > ;; global options: +cmd
> > example.net. 5 IN SOA ns01.example.c
> om. ns-admin.example.com. 1461435298 7200 1800 604800 5
>
> SOA serial is 1461435298 here ...
>
> > example.net. 5 IN NS ns01.example.c
> om.
> > example.net. 5 IN A 127.0.0.1
> > test.example.net. 500 IN TXT "TEST STRING"
> > example.net. 5 IN SOA ns01.example.c
> om. ns-admin.example.com. 1461435298 7200 1800 604800 5
> > ;; Query time: 1 msec
> > ;; SERVER: 10.0.0.53#53(10.0.0.53)
> > ;; WHEN: Sun Apr 24 11:48:58 PDT 2016
> > ;; XFR size: 5 records (messages 1, bytes 213)
> >
> > The journal HAS been modified
> >
> > cd <named chroot>
> > grep -rlni acme .
> > ./namedb/master/internal.example.net.zone.jnl
> >
> > After a bind restart, which iiuc is supposed to flush the journal to files,
>
> Yes it will, but this is not necessary.
>
> > systemctl stop named.service
> > systemctl start named.service
>
> (My guess is that the problem occurs here. What did systemctl do?)
>
> > checking with dig, the update's missing
> >
> > dig AXFR example.net
> >
> > ; <<>> DiG 9.10.3-P4 <<>> AXFR example.net
> > ;; global options: +cmd
> > example.net. 5 IN SOA ns01.example.c
> om. ns-admin.example.com. 1461435297 7200 1800 604800 5
>
> 1461435298 has been reduced to 1461435297, as if the update had never
> happened.
>
> > example.net. 5 IN NS ns01.example.c
> om.
> > example.net. 5 IN A 127.0.0.1
> > example.net. 5 IN SOA ns01.example.c
> om. ns-admin.example.com. 1461435297 7200 1800 604800 5
>
> Another problem with this zone is that the single NS host
> "ns01.example.com." has no A/AAAA records. This zone would not pass
> named-checkzone, which interestingly, is the same code which named
> itself uses when initially loading a zone.
example.net != example.com
The server is out of zone so named will not detect missing address
records. named-checkzone can detect missing address records as it
does out of zone checks.
> > ;; Query time: 2829 msec
> > ;; SERVER: 10.0.0.53#53(10.0.0.53)
> > ;; WHEN: Sun Apr 24 11:52:32 PDT 2016
> > ;; XFR size: 4 records (messages 1, bytes 178)
> >
> > cd <named chroot>
> > grep -rlni acme .
> > (empty)
> >
> > What am I failing to do to make this update persistent across flush/restart
> , as intended?
>
> What is deleting your journal? It's not named doing that.
>
> Why was the journal not written to the zone file on exit? That's
> something named DOES do.
It depends on how named is stopped. "rndc stop" will write out the
zone file as will "kill -TERM". "rndc halt" doesn't. In either
case the journal remains and is read and applied on startup.
> The smoking gun is in the hand of systemctl ...
> --
> http://rob0.nodns4.us/
> Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list