'succesful' nsupdate of remote server not persistent across nameserver restart?

Mark Andrews marka at isc.org
Sun Apr 24 22:43:26 UTC 2016 

In message <20160424222541.GB22481 at harrier.slackbuilds.org>, /dev/rob0 writes:
> On Sun, Apr 24, 2016 at 12:04:15PM -0700, jasonsu at mail-central.com wrote:
> > I'm doing an nsupdate to a remote server from my desktop
> > 
> > 	cat nsupdate.txt
> > 	 server ns01.example.com
> > 	 debug yes
> > 	 zone example.net.
> > 	 update add test.example.net. 500 in TXT "TEST STRING"
> > 	 show
> > 	 send
> > 
> > 	nsupdate -k ./jason-key ./nsupdate.txt
> > 
> > On the nameserver, logs show what appears to be 'success',
> > 
> > 	Apr 24 11:47:07 ns01 named[23053]: 24-Apr-2016 11:47:07.949 update-secu
> rity: info: client 10.0.0.17#4218/key jason-key: view internal: signer "jason
> -key" approved
> > 	Apr 24 11:47:08 ns01 named[23053]: 24-Apr-2016 11:47:07.949 update: inf
> o: client 10.0.0.17#4218/key jason-key: view internal: updating zone 'example
> .net/IN': adding an RR at 'test.example.net' TXT "TEST STRING"
> > 
> > checking with dig, it's NOT in 'TXT' where I expected it
> > 
> > 	dig TXT example.net +short
> > 		(empty)
> 
> As Anand pointed out, you were wrong to expect it there.  That's a 
> part of the mystery solved.
> 
> > instead it's in 'AXFR'
> > 
> > 	dig AXFR example.net
> > 
> > 	; <<>> DiG 9.10.3-P4 <<>> AXFR example.net
> > 		;; global options: +cmd
> > 		example.net.             5       IN      SOA     ns01.example.c
> om. ns-admin.example.com. 1461435298 7200 1800 604800 5
> 
> SOA serial is 1461435298 here ...
> 
> > 		example.net.             5       IN      NS      ns01.example.c
> om.
> > 		example.net.             5       IN      A       127.0.0.1
> > 		test.example.net. 500 IN      TXT     "TEST STRING"
> > 		example.net.             5       IN      SOA     ns01.example.c
> om. ns-admin.example.com. 1461435298 7200 1800 604800 5
> > 		;; Query time: 1 msec
> > 		;; SERVER: 10.0.0.53#53(10.0.0.53)
> > 		;; WHEN: Sun Apr 24 11:48:58 PDT 2016
> > 		;; XFR size: 5 records (messages 1, bytes 213)
> > 
> > The journal HAS been modified
> > 
> > 	cd <named chroot>
> > 	grep -rlni acme .
> > 		./namedb/master/internal.example.net.zone.jnl
> > 
> > After a bind restart, which iiuc is supposed to flush the journal to files,
> 
> Yes it will, but this is not necessary.
> 
> > 	systemctl stop  named.service
> > 	systemctl start named.service
> 
> (My guess is that the problem occurs here.  What did systemctl do?)
> 
> > checking with dig, the update's missing
> > 
> > 	dig AXFR example.net
> > 
> > 		; <<>> DiG 9.10.3-P4 <<>> AXFR example.net
> > 		;; global options: +cmd
> > 		example.net.             5       IN      SOA     ns01.example.c
> om. ns-admin.example.com. 1461435297 7200 1800 604800 5
> 
> 1461435298 has been reduced to 1461435297, as if the update had never 
> happened.
> 
> > 		example.net.             5       IN      NS      ns01.example.c
> om.
> > 		example.net.             5       IN      A       127.0.0.1
> > 		example.net.             5       IN      SOA     ns01.example.c
> om. ns-admin.example.com. 1461435297 7200 1800 604800 5
> 
> Another problem with this zone is that the single NS host 
> "ns01.example.com." has no A/AAAA records.  This zone would not pass 
> named-checkzone, which interestingly, is the same code which named 
> itself uses when initially loading a zone.

example.net != example.com

The server is out of zone so named will not detect missing address
records.  named-checkzone can detect missing address records as it
does out of zone checks.

> > 		;; Query time: 2829 msec
> > 		;; SERVER: 10.0.0.53#53(10.0.0.53)
> > 		;; WHEN: Sun Apr 24 11:52:32 PDT 2016
> > 		;; XFR size: 4 records (messages 1, bytes 178)
> > 
> > 	cd <named chroot>
> > 	grep -rlni acme .
> > 		(empty)
> > 
> > What am I failing to do to make this update persistent across flush/restart
> , as intended?
> 
> What is deleting your journal?  It's not named doing that.
> 
> Why was the journal not written to the zone file on exit?  That's 
> something named DOES do.

It depends on how named is stopped.  "rndc stop" will write out the
zone file as will "kill -TERM".  "rndc halt" doesn't.  In either
case the journal remains and is read and applied on startup.

> The smoking gun is in the hand of systemctl ...
> -- 
>   http://rob0.nodns4.us/
>   Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list