How to update zone with dnssec-policy (error with nsupdate: RRset exists)

[Matthias Fechner]

Am 05.07.2023 um 13:13 schrieb Matthias Fechner:
>
> So far, nsdiff generates expected output, next step is now to apply 
> the changes in an automated way.

If I try now to update some records remotely on the server I see in the 
log of the server:
==> /var/named/var/log/named.log <==
08-Jul-2023 07:40:22.962 update-security: info: client @0x848ac0760 
93.182.104.69#18475/key idefix.fechner.net-beta.fechner.net: signer 
"idefix.fechner.net-beta.fechner.net" approved
08-Jul-2023 07:40:22.962 update: info: client @0x848ac0760 
93.182.104.69#18475/key idefix.fechner.net-beta.fechner.net: updating 
zone 'fechner.net/IN': update unsuccessful: fechner.net/SOA: 'RRset 
exists (value dependent)' prerequisite not satisfied (NXRRSET)

What I did is at first execute nsdiff to control if the changes are 
making sense with:
nsdiff  -k ../.key fechner.net fechner.net

```

nsdiff: loading zone fechner.net. via AXFR from ns.fechner.net.
zone fechner.net/IN: loaded serial 2023070228 (DNSSEC signed)
OK
nsdiff: loading zone fechner.net. from file fechner.net
zone fechner.net/IN: loaded serial 2023070201
OK
prereq yxrrset fechner.net. IN SOA      ns.fechner.net. 
hostmaster.fechner.net. 2023070228 43200 7200 1814400 86400
update add fechner.net. 300 IN SOA      ns.fechner.net. 
hostmaster.fechner.net. 2023070229 43200 7200 1814400 86400
update delete fechner.net. IN TXT       "v=spf1 a mx 
a:anny.lostinspace.de mx:freebsd.org a:mx2.freebsd.org ~all"
update add fechner.net. 300 IN TXT      "v=spf1 a mx 
a:anny.lostinspace.de a:beta.fechner.net mx:freebsd.org 
a:mx2.freebsd.org ~all"
update delete gitlab.fechner.net. IN TXT        "v=spf1 a mx 
a:anny.lostinspace.de -all"
update add gitlab.fechner.net. 300 IN TXT       "v=spf1 a mx 
a:anny.lostinspace.de a:beta.fechner.net -all"
update delete ark.fechner.net. IN TXT   "v=spf1 a mx 
a:anny.lostinspace.de -all"
update add ark.fechner.net. 300 IN TXT  "v=spf1 a mx 
a:anny.lostinspace.de a:beta.fechner.net -all"
update delete news.fechner.net. IN TXT  "v=spf1 a mx 
a:anny.lostinspace.de -all"
update add news.fechner.net. 300 IN TXT "v=spf1 a mx 
a:anny.lostinspace.de a:beta.fechner.net -all"
send
answer
```

So I tried to chain nsupdate to it with:
nsdiff  -k ../.key fechner.net fechner.net | nsupdate -k ../.key

```

nsdiff: loading zone fechner.net. via AXFR from ns.fechner.net.
zone fechner.net/IN: loaded serial 2023070228 (DNSSEC signed)
OK
nsdiff: loading zone fechner.net. from file fechner.net
zone fechner.net/IN: loaded serial 2023070201
OK
update failed: NXRRSET
Answer:
;; ->>HEADER<<- opcode: UPDATE, status: NXRRSET, id: 14683
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;fechner.net.                   IN      SOA

;; TSIG PSEUDOSECTION:
idefix.fechner.net-beta.fechner.net. 0 ANY TSIG hmac-sha256. 1688794822 
300 32 re/dNrsChdUQSyzMox2O+uAQWJG7+LBWNkS19QmJ48U= 14683 NOERROR 0
```

anyone an idea what can cause this?


Gruß
Matthias

-- 

"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook