How to update zone with dnssec-policy (error with nsupdate: RRset exists)
Matthias Fechner
idefix at fechner.net
Tue Oct 24 06:13:06 UTC 2023
Am 08.07.2023 um 08:48 schrieb Matthias Fechner:
> If I try now to update some records remotely on the server I see in
> the log of the server:
> ==> /var/named/var/log/named.log <==
> 08-Jul-2023 07:40:22.962 update-security: info: client @0x848ac0760
> 93.182.104.69#18475/key idefix.fechner.net-beta.fechner.net: signer
> "idefix.fechner.net-beta.fechner.net" approved
> 08-Jul-2023 07:40:22.962 update: info: client @0x848ac0760
> 93.182.104.69#18475/key idefix.fechner.net-beta.fechner.net: updating
> zone 'fechner.net/IN': update unsuccessful: fechner.net/SOA: 'RRset
> exists (value dependent)' prerequisite not satisfied (NXRRSET)
>
> What I did is at first execute nsdiff to control if the changes are
> making sense with:
> nsdiff -k ../.key fechner.net fechner.net
>
> ```
>
> nsdiff: loading zone fechner.net. via AXFR from ns.fechner.net.
> zone fechner.net/IN: loaded serial 2023070228 (DNSSEC signed)
> OK
> nsdiff: loading zone fechner.net. from file fechner.net
> zone fechner.net/IN: loaded serial 2023070201
> OK
> prereq yxrrset fechner.net. IN SOA ns.fechner.net.
> hostmaster.fechner.net. 2023070228 43200 7200 1814400 86400
> update add fechner.net. 300 IN SOA ns.fechner.net.
> hostmaster.fechner.net. 2023070229 43200 7200 1814400 86400
> update delete fechner.net. IN TXT "v=spf1 a mx
> a:anny.lostinspace.de mx:freebsd.org a:mx2.freebsd.org ~all"
> update add fechner.net. 300 IN TXT "v=spf1 a mx
> a:anny.lostinspace.de a:beta.fechner.net mx:freebsd.org
> a:mx2.freebsd.org ~all"
> update delete gitlab.fechner.net. IN TXT "v=spf1 a mx
> a:anny.lostinspace.de -all"
> update add gitlab.fechner.net. 300 IN TXT "v=spf1 a mx
> a:anny.lostinspace.de a:beta.fechner.net -all"
> update delete ark.fechner.net. IN TXT "v=spf1 a mx
> a:anny.lostinspace.de -all"
> update add ark.fechner.net. 300 IN TXT "v=spf1 a mx
> a:anny.lostinspace.de a:beta.fechner.net -all"
> update delete news.fechner.net. IN TXT "v=spf1 a mx
> a:anny.lostinspace.de -all"
> update add news.fechner.net. 300 IN TXT "v=spf1 a mx
> a:anny.lostinspace.de a:beta.fechner.net -all"
> send
> answer
> ```
>
> So I tried to chain nsupdate to it with:
> nsdiff -k ../.key fechner.net fechner.net | nsupdate -k ../.key
>
> ```
>
> nsdiff: loading zone fechner.net. via AXFR from ns.fechner.net.
> zone fechner.net/IN: loaded serial 2023070228 (DNSSEC signed)
> OK
> nsdiff: loading zone fechner.net. from file fechner.net
> zone fechner.net/IN: loaded serial 2023070201
> OK
> update failed: NXRRSET
> Answer:
> ;; ->>HEADER<<- opcode: UPDATE, status: NXRRSET, id: 14683
> ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
> ;; ZONE SECTION:
> ;fechner.net. IN SOA
>
> ;; TSIG PSEUDOSECTION:
> idefix.fechner.net-beta.fechner.net. 0 ANY TSIG hmac-sha256.
> 1688794822 300 32 re/dNrsChdUQSyzMox2O+uAQWJG7+LBWNkS19QmJ48U= 14683
> NOERROR 0
> ```
>
> anyone an idea what can cause this?
if anyone else has these problems, I need to disable inline-signing:
inline-signing no;
after this, it is working perfectly fine.
Gruß
Matthias
--
"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook
More information about the bind-users
mailing list