nsupdate fails with tsig error.
Anthony Ercolano
tony-keyword-dhcp.537659 at ercolano.com
Sun Dec 2 07:27:38 UTC 2007
Sorry for the multiple messages.
Is there any way to force the DHCP server to only use TCP when sending
updates to the dns server?
Didn't see anything in Mr. Lemons book.
On Dec 1, 2007, at 10:39 PM, Anthony Ercolano wrote:
> Interestingly if I force nsupdate to commuicate with tcp instead of
> udp by using the -v option then the update works even if the update
> is requested from the machine at address 10.0.0.37 and going through
> NAT.
>
> On Dec 1, 2007, at 5:10 PM, Anthony Ercolano wrote:
>
>> Life becomes much more clear.
>>
>> If I run nsupdate on a machine with a network address of 10.0.0.37
>> and it sends the update commands to the bind server with a network
>> address 209.181.88.209 the update fails.
>>
>> If I take the same machine and give it a network address of
>> 209.181.88.213 and run the same series of commands with nsupdate
>> the update succeeds.
>>
>> Clearly I don't understand the ramifications of sending the update
>> through NAT to the server.
>>
>> Any thoughts?
>>
>> On Dec 1, 2007, at 8:43 AM, Glenn Satchell wrote:
>>
>>>
>>>> To: dhcp-users at isc.org
>>>> Subject: Re: nsupdate fails with tsig error.
>>>> Date: Fri, 30 Nov 2007 10:00:49 -0800
>>>>
>>>> I have made several changes to make the dhcpd.conf and the
>>>> named.conf
>>>> match more closely what is is the man page. Results are exactly
>>>> the
>>>> same.
>>>>
>>>> Question:
>>>>
>>>> In order to reduce possible configuration file "noise", on the
>>>> machine
>>>> that has the dhcp server I am testing out doing the dns update
>>>> using
>>>> the nsupdate program that comes with bind.
>>>>
>>>> So - Does the nsupdate program use ANY information from the
>>>> dhcpd.conf
>>>> (or any other settings external to what is given in the sequence of
>>>> comands) at all?
>>>
>>> No. nsupdateis part of the bind package, it has absolutely no
>>> dependancies on
>>> dhcp or indeed any knowledge of the dhcp package of programmes.
>>>
>>>> Trying to do the update via nsupdate on the dhcp server machine, it
>>>> fails with BADSIG
>>>>
>>>> Again, here is where I am puzzled: Using the EXACT same sequence
>>>> of
>>>> command to nsupdate on the bind server, the update works.
>>>>
>>>> I really wouldn't have thought it mattered at all where the
>>>> nsupdate
>>>> came from.
>>>>
>>>> This leads me to think that there MUST be something in by
>>>> named.conf
>>>> file that is letting "local" updates occur but is preventing non-
>>>> local. However, I just don't see what that might be.
>>>
>>> Yes. That is a good assumption.
>>>
>>>> Is there any default cryptographic information that is assumed on
>>>> the
>>>> bind server side that is not available to non-local clients?
>>>
>>> I don't think so.
>>>
>>> In named.conf you don't use quotes around the value of the secret,
>>> ie
>>> it should be:
>>>
>>> key ns1-dhcpsrc.ercolano.net. {
>>> algorithm hmac-md5;
>>> secret supersecretsecret==;
>>> };
>>>
>>> And in dhcpd.conf you also don't need quotes around the value of
>>> the secret.
>>>
>>> key ns1-dhcpsrc.ercolano.net. {
>>> algorithm hmac-md5;
>>> secret supersecretsecret==;
>>> };
>>>
>>> This is the only thing I can see in the included named.conf and
>>> dhcpd.conf files below that is not right. If this doesn't work, then
>>> there must be something else not right, but if there is I can't see
>>> it.
>>>
>>> The BIND ARM (available on the web) says about TSIG errors:
>>>
>>> If a TSIG aware server receives a message with a signature that
>>> does not validate, the response will be unsigned with the TSIG
>>> extended error code set to BADSIG.
>>>
>>> So, this says to me the key is invalid. If you use quotes in the
>>> conf
>>> files, then they will become part of the key and could cause it to
>>> be
>>> invalid as they are not valid base 64 characters.
>>>
>>> You did restart (not just kill -HUP) both dhcpd and named after
>>> changing the conf files? (clutching at straws here ... )
>>>
>>> regards,
>>> -glenn
>>>
>>>> On Nov 29, 2007, at 5:01 AM, Glenn Satchell wrote:
>>>>
>>>>> Hi Anthony
>>>>>
>>>>> Please have a look at the dhcpd.conf man page, in particular the
>>>>> section titled DNS UPDATE SECURITY. It has sample configurations
>>>>> for
>>>>> named.conf and dhcpd.conf. It also includes the statements to
>>>>> set up
>>>>> logging of dynamic DNS updates on the bind server.
>>>>>
>>>>> One thing to be careful with is the use of quotes. They vary
>>>>> between
>>>>> bind and dhcp for similar statements, eg zone and key.
>>>>>
>>>>> If you follow those examples closely it will work...
>>>>>
>>>>> regards,
>>>>> -glenn
>>>>>
>>>>>> From: Anthony Ercolano <anthony.ercolano at gmail.com>
>>>>>> To: dhcp-users at isc.org
>>>>>> Subject: nsupdate fails with tsig error.
>>>>>> Date: Wed, 28 Nov 2007 17:58:15 -0800
>>>>>>
>>>>>> Here is a copy of my dhcpd.conf (secrets obscured).
>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>> option domain-name "ercolano.com";
>>>>>> option domain-name-servers 209.181.88.209,209.181.88.210;
>>>>>>
>>>>>> default-lease-time 2592000;
>>>>>>
>>>>>> ddns-update-style interim;
>>>>>> ddns-updates on;
>>>>>> ddns-domainname "ercolano.com";
>>>>>> ddns-rev-domainname "10.in-addr.arpa";
>>>>>> ignore client-updates;
>>>>>> authoritative;
>>>>>>
>>>>>> key ns1-dhcpsrc.ercolano.net. {
>>>>>> algorithm hmac-md5;
>>>>>> secret "supersecretsecret==";
>>>>>> };
>>>>>>
>>>>>> zone 10.in-addr.arpa {
>>>>>> primary 209.181.88.209;
>>>>>> key ns1-dhcpsrc.ercolano.net.;
>>>>>> }
>>>>>>
>>>>>> zone ercolano.com {
>>>>>> primary 209.181.88.209;
>>>>>> key ns1-dhcpsrc.ercolano.net.;
>>>>>> }
>>>>>>
>>>>>>
>>>>>> subnet 10.0.0.0 netmask 255.255.255.0 {
>>>>>> range 10.0.0.150 10.0.0.200;
>>>>>> option routers 10.0.0.1;
>>>>>> ddns-hostname =
>>>>>> pick ( option host-name,
>>>>>> concat("dhcp-",binary-to-ascii (10,8,"-",leased-
>>>>>> address)));
>>>>>>
>>>>>> host soekris1 {
>>>>>> option host-name "soekris1";
>>>>>> hardware ethernet 00:00:24:C4:7B:74 ;
>>>>>> fixed-address 10.0.0.61;
>>>>>> option root-path "/tftpboot";
>>>>>> filename "/pxeboot";
>>>>>> }
>>>>>> host soekris2 {
>>>>>> option host-name "soekris2";
>>>>>> hardware ethernet 00:00:24:C1:36:00 ;
>>>>>> fixed-address 10.0.0.62;
>>>>>> option root-path "/tftpboot";
>>>>>> filename "/pxeboot";
>>>>>> }
>>>>>> }
>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>
>>>>>> This dhcp server lives on an internal network address of
>>>>>> 10.0.0.xx
>>>>>>
>>>>>> Here is the named.conf file on 209.181.88.209
>>>>>>
>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>> acl "frendsnameserver" { 192.0.0.0/24; };
>>>>>> acl trusted
>>>>>>
>>> {209.181.88.209;209.181.88.210;209.181.88.211;209.181.88.212;209.181.88.213;209
>>>>> .181.88.214
>>>>>> ;localhost;localnets;};
>>>>>>
>>>>>> key ns1-ns2.ercolano.net. {
>>>>>> algorithm hmac-md5;
>>>>>> secret "another super secret==";
>>>>>> };
>>>>>>
>>>>>> key ns1-dhcpsrc.ercolano.net. {
>>>>>> algorithm hmac-md5;
>>>>>> secret "supersecretsecret==";
>>>>>> };
>>>>>>
>>>>>> server 209.181.88.210 {
>>>>>> keys { ns1-ns2.ercolano.net.; };
>>>>>> };
>>>>>>
>>>>>> server 209.181.88.214 {
>>>>>> keys { ns1-dhcpsc.ercolano.net.; };
>>>>>> };
>>>>>>
>>>>>> options {
>>>>>> directory "/var/bind";
>>>>>>
>>>>>> // uncomment the following lines to turn on DNS forwarding,
>>>>>> // and change the forwarding ip address(es) :
>>>>>> //forward first;
>>>>>> //forwarders {
>>>>>> // 123.123.123.123;
>>>>>> // 123.123.123.123;
>>>>>> //};
>>>>>>
>>>>>> // listen-on-v6 { none; };
>>>>>> // listen-on { 127.0.0.1; };
>>>>>>
>>>>>> // to allow only specific hosts to use the DNS server:
>>>>>> //allow-query {
>>>>>> // 127.0.0.1;
>>>>>> //};
>>>>>>
>>>>>> allow-transfer { none; };
>>>>>> allow-query { any; };
>>>>>> allow-recursion { trusted; };
>>>>>> allow-query-cache { trusted; };
>>>>>> allow-update { none; };
>>>>>>
>>>>>> notify-source * port 53;
>>>>>>
>>>>>> // if you have problems and are behind a firewall:
>>>>>> query-source address * port 53;
>>>>>> pid-file "/var/run/named/named.pid";
>>>>>>
>>>>>> version "No";
>>>>>>
>>>>>> };
>>>>>>
>>>>>>
>>>>>> zone "." IN {
>>>>>> type hint;
>>>>>> file "named.ca";
>>>>>> };
>>>>>>
>>>>>> zone "localhost" IN {
>>>>>> type master;
>>>>>> file "pri/localhost.zone";
>>>>>> notify no;
>>>>>> };
>>>>>>
>>>>>> zone "127.in-addr.arpa" IN {
>>>>>> type master;
>>>>>> file "pri/127.zone";
>>>>>> notify no;
>>>>>> };
>>>>>>
>>>>>> zone "10.IN-ADDR.ARPA" {
>>>>>> type master;
>>>>>> file "pri/10.zone";
>>>>>> allow-update { key ns1-dhcpsrc.ercolano.net.; };
>>>>>> allow-transfer { key ns1-ns2.ercolano.net.; key ns1-
>>>>>> dhcpsrc.ercolano.net.; };
>>>>>> };
>>>>>>
>>>>>> zone "ercolano.net" IN {
>>>>>> type master;
>>>>>> file "pri/ercolano.net.zone";
>>>>>> allow-transfer { friendsnameserver; key ns1-ns2.ercolano.net.;
>>>>>> key
>>>>>> ns1-dhcpsrc.ercolano.net.; };
>>>>>> };
>>>>>> zone "ercolano.org" IN {
>>>>>> type master;
>>>>>> file "pri/ercolano.org.zone";
>>>>>> allow-transfer { friendsnameserver; key ns1-ns2.ercolano.net.;
>>>>>> key
>>>>>> ns1-dhcpsrc.ercolano.net.; };
>>>>>> };
>>>>>>
>>>>>> zone "ercolano.com" IN {
>>>>>> type master;
>>>>>> file "pri/ercolano.com.zone";
>>>>>> allow-update { key ns1-dhcpsrc.ercolano.net.; };
>>>>>> allow-transfer { friendsnameserver; key ns1-ns2.ercolano.net.;
>>>>>> key
>>>>>> ns1-dhcpsrc.ercolano.net.; };
>>>>>> };
>>>>>>
>>>>>> zone "208-214.88.181.209.in-addr.arpa" IN {
>>>>>> type master;
>>>>>> file "pri/208-214.88.181.209.zone";
>>>>>> allow-transfer { friendsnameserver; key ns1-ns2.ercolano.net.;
>>>>>> key
>>>>>> ns1-dhcpsrc.ercolano.net.; };
>>>>>> };
>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>
>>>>>> If I execute the following nsupdate -d on the dhcp server
>>>>>> machine I
>>>>>> get:
>>>>>>
>>>>>> dhcpsrc dhcp # nsupdate -d
>>>>>>> server 209.181.88.209
>>>>>>> zone ercolano.com
>>>>>>> key ns1-dhcpsrc.ercolano.net. supersecretsecret==
>>>>>>> update add bogu.ercolano.com 300 A 10.0.0.57
>>>>>>> send
>>>>>> Sending update to 209.181.88.209#53
>>>>>> Outgoing update query:
>>>>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 40437
>>>>>> ;; flags: ; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
>>>>>> ;; ZONE SECTION:
>>>>>> ;ercolano.com. IN SOA
>>>>>>
>>>>>> ;; UPDATE SECTION:
>>>>>> bogu.ercolano.com. 300 IN A 10.0.0.57
>>>>>>
>>>>>> ;; TSIG PSEUDOSECTION:
>>>>>> ns1-dhcpsrc.ercolano.net. 0 ANY TSIG hmac-md5.sig-alg.reg.int.
>>>>>> 1196299697 300 16 hmmmmmmm== 40437 NOERROR 0
>>>>>>
>>>>>> ; TSIG error with server: tsig indicates error
>>>>>>
>>>>>> Reply from update query:
>>>>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id: 40437
>>>>>> ;; flags: qr ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
>>>>>> ;; TSIG PSEUDOSECTION:
>>>>>> ns1-dhcpsrc.ercolano.net. 0 ANY TSIG hmac-md5.sig-alg.reg.int.
>>>>>> 1196299697 300 0 40437 BADSIG 0
>>>>>>
>>>>>> The error message on the bind server contains:
>>>>>>
>>>>>> Nov 28 17:43:56 mail named[24825]: client 209.181.88.214#22283:
>>>>>> request has invalid signature: TSIG ns1-dhcpsrc.ercolano.net:
>>>>>> tsig
>>>>>> verify failure (BADSIG)
>>>>>>
>>>>>> Any thoughts on why this doesn't work?
>>>>>>
>>>>>> Any thoughts on what sort of logging would be especially
>>>>>> helpful on
>>>>>> the bind server for finding the problem?
>>>>>>
>>>>>> Could there be issues with the fact that the dhcp request is
>>>>>> initiating server with nat'ed address 10.0.0.37 going through a
>>>>>> cisco
>>>>>> dsl router and coming into the bind server, which is at
>>>>>> 209.181.88.209
>>>>>> with the request appearing as though NOW initiated on address
>>>>>> 209.181.88.214?
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>
>>>>
>>>
>>
>
More information about the dhcp-users
mailing list