nsupdate fails with tsig error.
Anthony Ercolano
tony-keyword-dhcp.537659 at ercolano.com
Fri Nov 30 18:00:49 UTC 2007
I have made several changes to make the dhcpd.conf and the named.conf
match more closely what is is the man page. Results are exactly the
same.
Question:
In order to reduce possible configuration file "noise", on the machine
that has the dhcp server I am testing out doing the dns update using
the nsupdate program that comes with bind.
So - Does the nsupdate program use ANY information from the dhcpd.conf
(or any other settings external to what is given in the sequence of
comands) at all?
Trying to do the update via nsupdate on the dhcp server machine, it
fails with BADSIG
Again, here is where I am puzzled: Using the EXACT same sequence of
command to nsupdate on the bind server, the update works.
I really wouldn't have thought it mattered at all where the nsupdate
came from.
This leads me to think that there MUST be something in by named.conf
file that is letting "local" updates occur but is preventing non-
local. However, I just don't see what that might be.
Is there any default cryptographic information that is assumed on the
bind server side that is not available to non-local clients?
On Nov 29, 2007, at 5:01 AM, Glenn Satchell wrote:
> Hi Anthony
>
> Please have a look at the dhcpd.conf man page, in particular the
> section titled DNS UPDATE SECURITY. It has sample configurations for
> named.conf and dhcpd.conf. It also includes the statements to set up
> logging of dynamic DNS updates on the bind server.
>
> One thing to be careful with is the use of quotes. They vary between
> bind and dhcp for similar statements, eg zone and key.
>
> If you follow those examples closely it will work...
>
> regards,
> -glenn
>
>> From: Anthony Ercolano <anthony.ercolano at gmail.com>
>> To: dhcp-users at isc.org
>> Subject: nsupdate fails with tsig error.
>> Date: Wed, 28 Nov 2007 17:58:15 -0800
>>
>> Here is a copy of my dhcpd.conf (secrets obscured).
>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>> option domain-name "ercolano.com";
>> option domain-name-servers 209.181.88.209,209.181.88.210;
>>
>> default-lease-time 2592000;
>>
>> ddns-update-style interim;
>> ddns-updates on;
>> ddns-domainname "ercolano.com";
>> ddns-rev-domainname "10.in-addr.arpa";
>> ignore client-updates;
>> authoritative;
>>
>> key ns1-dhcpsrc.ercolano.net. {
>> algorithm hmac-md5;
>> secret "supersecretsecret==";
>> };
>>
>> zone 10.in-addr.arpa {
>> primary 209.181.88.209;
>> key ns1-dhcpsrc.ercolano.net.;
>> }
>>
>> zone ercolano.com {
>> primary 209.181.88.209;
>> key ns1-dhcpsrc.ercolano.net.;
>> }
>>
>>
>> subnet 10.0.0.0 netmask 255.255.255.0 {
>> range 10.0.0.150 10.0.0.200;
>> option routers 10.0.0.1;
>> ddns-hostname =
>> pick ( option host-name,
>> concat("dhcp-",binary-to-ascii (10,8,"-",leased-address)));
>>
>> host soekris1 {
>> option host-name "soekris1";
>> hardware ethernet 00:00:24:C4:7B:74 ;
>> fixed-address 10.0.0.61;
>> option root-path "/tftpboot";
>> filename "/pxeboot";
>> }
>> host soekris2 {
>> option host-name "soekris2";
>> hardware ethernet 00:00:24:C1:36:00 ;
>> fixed-address 10.0.0.62;
>> option root-path "/tftpboot";
>> filename "/pxeboot";
>> }
>> }
>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>
>> This dhcp server lives on an internal network address of 10.0.0.xx
>>
>> Here is the named.conf file on 209.181.88.209
>>
>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>> acl "frendsnameserver" { 192.0.0.0/24; };
>> acl trusted
>> {209.181.88.209;209.181.88.210;209.181.88.211;209.181.88.212;209.181.88.213;209
> .181.88.214
>> ;localhost;localnets;};
>>
>> key ns1-ns2.ercolano.net. {
>> algorithm hmac-md5;
>> secret "another super secret==";
>> };
>>
>> key ns1-dhcpsrc.ercolano.net. {
>> algorithm hmac-md5;
>> secret "supersecretsecret==";
>> };
>>
>> server 209.181.88.210 {
>> keys { ns1-ns2.ercolano.net.; };
>> };
>>
>> server 209.181.88.214 {
>> keys { ns1-dhcpsc.ercolano.net.; };
>> };
>>
>> options {
>> directory "/var/bind";
>>
>> // uncomment the following lines to turn on DNS forwarding,
>> // and change the forwarding ip address(es) :
>> //forward first;
>> //forwarders {
>> // 123.123.123.123;
>> // 123.123.123.123;
>> //};
>>
>> // listen-on-v6 { none; };
>> // listen-on { 127.0.0.1; };
>>
>> // to allow only specific hosts to use the DNS server:
>> //allow-query {
>> // 127.0.0.1;
>> //};
>>
>> allow-transfer { none; };
>> allow-query { any; };
>> allow-recursion { trusted; };
>> allow-query-cache { trusted; };
>> allow-update { none; };
>>
>> notify-source * port 53;
>>
>> // if you have problems and are behind a firewall:
>> query-source address * port 53;
>> pid-file "/var/run/named/named.pid";
>>
>> version "No";
>>
>> };
>>
>>
>> zone "." IN {
>> type hint;
>> file "named.ca";
>> };
>>
>> zone "localhost" IN {
>> type master;
>> file "pri/localhost.zone";
>> notify no;
>> };
>>
>> zone "127.in-addr.arpa" IN {
>> type master;
>> file "pri/127.zone";
>> notify no;
>> };
>>
>> zone "10.IN-ADDR.ARPA" {
>> type master;
>> file "pri/10.zone";
>> allow-update { key ns1-dhcpsrc.ercolano.net.; };
>> allow-transfer { key ns1-ns2.ercolano.net.; key ns1-
>> dhcpsrc.ercolano.net.; };
>> };
>>
>> zone "ercolano.net" IN {
>> type master;
>> file "pri/ercolano.net.zone";
>> allow-transfer { friendsnameserver; key ns1-ns2.ercolano.net.; key
>> ns1-dhcpsrc.ercolano.net.; };
>> };
>> zone "ercolano.org" IN {
>> type master;
>> file "pri/ercolano.org.zone";
>> allow-transfer { friendsnameserver; key ns1-ns2.ercolano.net.; key
>> ns1-dhcpsrc.ercolano.net.; };
>> };
>>
>> zone "ercolano.com" IN {
>> type master;
>> file "pri/ercolano.com.zone";
>> allow-update { key ns1-dhcpsrc.ercolano.net.; };
>> allow-transfer { friendsnameserver; key ns1-ns2.ercolano.net.; key
>> ns1-dhcpsrc.ercolano.net.; };
>> };
>>
>> zone "208-214.88.181.209.in-addr.arpa" IN {
>> type master;
>> file "pri/208-214.88.181.209.zone";
>> allow-transfer { friendsnameserver; key ns1-ns2.ercolano.net.; key
>> ns1-dhcpsrc.ercolano.net.; };
>> };
>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>
>> If I execute the following nsupdate -d on the dhcp server machine I
>> get:
>>
>> dhcpsrc dhcp # nsupdate -d
>>> server 209.181.88.209
>>> zone ercolano.com
>>> key ns1-dhcpsrc.ercolano.net. supersecretsecret==
>>> update add bogu.ercolano.com 300 A 10.0.0.57
>>> send
>> Sending update to 209.181.88.209#53
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 40437
>> ;; flags: ; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
>> ;; ZONE SECTION:
>> ;ercolano.com. IN SOA
>>
>> ;; UPDATE SECTION:
>> bogu.ercolano.com. 300 IN A 10.0.0.57
>>
>> ;; TSIG PSEUDOSECTION:
>> ns1-dhcpsrc.ercolano.net. 0 ANY TSIG hmac-md5.sig-alg.reg.int.
>> 1196299697 300 16 hmmmmmmm== 40437 NOERROR 0
>>
>> ; TSIG error with server: tsig indicates error
>>
>> Reply from update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id: 40437
>> ;; flags: qr ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
>> ;; TSIG PSEUDOSECTION:
>> ns1-dhcpsrc.ercolano.net. 0 ANY TSIG hmac-md5.sig-alg.reg.int.
>> 1196299697 300 0 40437 BADSIG 0
>>
>> The error message on the bind server contains:
>>
>> Nov 28 17:43:56 mail named[24825]: client 209.181.88.214#22283:
>> request has invalid signature: TSIG ns1-dhcpsrc.ercolano.net: tsig
>> verify failure (BADSIG)
>>
>> Any thoughts on why this doesn't work?
>>
>> Any thoughts on what sort of logging would be especially helpful on
>> the bind server for finding the problem?
>>
>> Could there be issues with the fact that the dhcp request is
>> initiating server with nat'ed address 10.0.0.37 going through a cisco
>> dsl router and coming into the bind server, which is at
>> 209.181.88.209
>> with the request appearing as though NOW initiated on address
>> 209.181.88.214?
>>
>> Thanks!
>>
>
More information about the dhcp-users
mailing list