nsupdate, dnskeygen, trusted-keys, OH my!

Kevin Darcy kcd at daimlerchrysler.com
Fri Oct 13 03:54:00 UTC 2000 

Ideally, the master server should be specified in the SOA MNAME field as well
as in the NS records for the zone. When both of these conditions are true,
nsupdate will send the update first to that server.

Unfortunately, in your case, the SOA MNAME field is set to ns1.deltacom.net,
which doesn't appear anywhere in the NS records. So nsupdate has to guess
which server to send the update to. This is perilous in BIND 8.2.2-p5, because
of a nasty bug (#1028) which causes slave servers not configured with the
appropriate TSIG key to return NOERROR to the Dynamic Update (i.e.
success) instead of NOTAUTH, as the RFC mandates. So nsupdate is fooled into
thinking that the Dynamic Update worked, and doesn't try any other servers.
Essentially your Dynamic Update falls into a black hole.

BIND 8.2.3-T6B fixed bug #1028. So either a) make your SOA MNAME reflect the
master, or b) upgrade.


- Kevin

Chris MacLeod wrote:

> Ok, thanks for the resource.
>
> I followed the instructions to the letter (even using the same key names
> (but not secret)
> and I get nothing.  No logs, no errors, nothing.
>
> Here is the output of nsupdate -d -k /var/dns/keys:tsig-key. test.update
> (this is just stderr)
>
> ;; res_findzonecut: START dname='test.miscellaneous.net' class=IN,
> zsize=1025, naddrs=3
> ;; res_findzonecut: get the soa, and see if it has enough glue
> ;; res_findzonecut: get the ns rrset and see if it has enough glue
> ;; res_findzonecut: get the missing glue and see if it's finally enough
> ;; res_findzonecut: add_addrs: 1
> ;; res_findzonecut: add_addrs: 1
> ;; res_findzonecut: add_addrs: 1
> ;; res_findzonecut: satisfy(ns1.deltacom.net): 3
> ;; res_findzonecut: FINISH n=3 (OK)
> ;; res_findzonecut: START dname='test.miscellaneous.net' class=IN,
> zsize=1025, naddrs=3
> ;; res_findzonecut: get the soa, and see if it has enough glue
> ;; res_findzonecut: get the ns rrset and see if it has enough glue
> ;; res_findzonecut: get the missing glue and see if it's finally enough
> ;; res_findzonecut: add_addrs: 1
> ;; res_findzonecut: add_addrs: 1
> ;; res_findzonecut: add_addrs: 1
> ;; res_findzonecut: satisfy(ns1.deltacom.net): 3
> ;; res_findzonecut: FINISH n=3 (OK)
> ;; res_nupdate: res_mkupdate -> 68
> ;; res_nupdate: res_nsend: send error, n=-1 (Inappropriate ioctl for
> device)
>
> stdout is attached as a text file.
>
> Thanks for all the help.
>
> Stick
>
> On Thu, 12 Oct 2000 20:38:51 Kevin Darcy wrote:
> >
> > http://www.nominum.com/resources/faqs/bind-faq.html#tsig
> >
> >
> > - Kevin
> >
> >
> >
> > root wrote:
> >
> > > That's what I am trying to do.
> > > Have a secure mechanism for which a few hosts to do updates with.
> > >
> > > The problem that I"m having is that I don't know (and can't find)
> > > is how to specify the approved key in my conf file and then how to
> > generate
> > > the correct key
> > > TSIG vs DNSSEC for use on the host side.
> > >
> > > Stick
> > >
> > > On Wed, 11 Oct 2000 18:30:47 Kevin Darcy wrote:
> > > >
> > > > AFAIK, trusted-keys is only used for DNSSEC, which essentially
> > requires
> > > > you to build a security infrastructure. If all you want to do is
> > > > strongly-crypto-authenticate your Dynamic Updates amongst a
> > fairly-small
> > > > number of servers and/or clients, I'd look at TSIG instead. Generate
> > a
> > > > shared-secret TSIG key for each server or, depending on your paranoia
> > > > level, each server/client combination, configure it/them into the
> > server
> > > > and use the "-k" option of nsupdate to sign the updates with that
> > key.
> > > > This is obviously non-scalable to larger numbers of clients and/or
> > > > servers
> > > > because of the key distribution and/or management problems...
> > > >
> > > >
> > > > - Kevin
> > > >
> > > > Chris MacLeod wrote:
> > > >
> > > > > I've been wrestleing with nsupdate for a couple of days now and
> > have
> > > > > finally gotten it working with ip based security rules.
> > > > >
> > > > > I'm trying to do key based authentication now so I can't be
> > spoofed.
> > > > >
> > > > > Could someone point me to a good reference (or post here) what a
> > > > > named.conf using trusted-keys with nsupdate should look like.  And
> > also
> > > > > how keys should be generated with dnskeygen.
> > > > >
> > > > > Thanks.
> > > > >
> > > > > Stick
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> >
> >
> >
> >
> >
> >
>
>   ------------------------------------------------------------------------
>
>    output   Name: output
>             Type: unspecified type (application/octet-stream)

More information about the bind-users mailing list