CNAME restrictions

Kevin Darcy kevin.darcy at fcagroup.com
Tue Aug 4 20:28:16 UTC 2020 

[ Classification Level: GENERAL BUSINESS ]

Offhand, it looks like the server side is configured to only allow
authenticated updates, but you're sending an unauthenticated one.

A more nuanced issue might be if the ID you're running the nsupdate as,
can't read the key files, so even though you may have intended the update
to be signed, it actually wasn't.

Did you try adding a -d to the nsupdate command? If so, does the debug
output give any clues?

                                                                         -
Kevin

On Tue, Aug 4, 2020 at 1:30 PM Leroy Tennison <leroy at datavoiceint.com>
wrote:

> I have a situation where, due to the system's location (IP subnet), its
> DNS name is <webserver>.<internal subdomain>.datavoiceint.com.  We have a
> certificate for *.datavoiceint.com which we prefer to use instead of
> having to acquire a certificate for <internal subdomain>.datavoiceint.com
> since this is a one-off internal-only web server.  Our (ISC) DNS servers
> (version 9.10.3-P4-Ubuntu that comes with Ubuntu 16.04) serve both
> domains.  I thought a solution would be to use a CNAME but, when I attempt
> this (via nsupdate with the update key which works for A and PTR adds and
> deletes) I get (on "send"):
>
>  TSIG error with server: expected a TSIG or SIG(0)
> update failed: NOTIMP
>
> What I tried (on both <internal subdomain>.datavoiceint.com. and
> datavoiceint.com.) was:
>
> update add <webserver>.datavoiceint.com. 86400 IN CNAME <webserver>.<internal
> subdomain>.datavoiceint.com.
>
> Apparently I'm mis-understanding CNAME usage, if I actually can use a
> CNAME record what should the format be (or do I need to configure bind
> differently to use it since part of the reply is NOTIMP)?  If that's not
> possible due to CNAME restrictions are there any alternatives?
>
> Thanks for your help.
>
> Harriscomputer
>
>
> *Leroy Tennison*Network Information/Cyber Security Specialist
> E: leroy at datavoiceint.com
> P:
>
>
> 2220 Bush Dr
> McKinney, Texas
> 75070
> www.datavoiceint.com <http://www..com>
>
> This message has been sent on behalf of a company that is part of the
> Harris Operating Group of Constellation Software Inc.
>
> If you prefer not to be contacted by Harris Operating Group please notify
> us <http://subscribe.harriscomputer.com/>.
>
>
>
> This message is intended exclusively for the individual or entity to which
> it is addressed. This communication may contain information that is
> proprietary, privileged or confidential or otherwise legally exempt from
> disclosure. If you are not the named addressee, you are not authorized to
> read, print, retain, copy or disseminate this message or any part of it. If
> you have received this message in error, please notify the sender
> immediately by e-mail and delete all copies of the message.
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200804/60b9acde/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: noname
Type: image/png
Size: 8276 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200804/60b9acde/attachment-0001.png>

More information about the bind-users mailing list