Re: with dot in NAME for ACME via dynamic update (Axel Rau)

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: with dot in NAME for ACME via dynamic update (Axel Rau)

Timothe Litt

Er,

dig _acme-challenge.imap.lrau.net.

is missing a record type.  The default is A.


dig _acme-challenge.imap.lrau.net. txt

will likely give you better results

Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed. 
On 14-Mar-20 13:31, [hidden email] wrote:
Am 14.03.2020 um 18:14 schrieb Chuck Aurora <[hidden email]>:

it seems, the dynamic update protocol does not allow things like
_acme-challenge.some-host.some.domain TXT "tR0VhMRfb4v5WsctEgoD3aWNRJ73n2wqn9hlTPE9pA0"
because there is no zone
some-host.some.domain

I am pretty sure that is not correct, but we can't help unless you
show your work.  If you need to specify the zone to update, you can
and should.  BIND's nsupdate(8) and other dynamic DNS clients allow
you to do this.

With this file
- - -
server localhost
debug
ttl 3600
add _acme-challenge.imap.lrau.net.  3600 TXT  "tR0VhMRfb4v5WsctEgoD3aWNRJ73n2wqn9hlTPE9pA0"
show
send
answer
- - -
I get:
- - -
# nsupdate -k /usr/local/etc/namedb/dns-keys/ddns-key.conf ~/admin/ns-update-example.txt
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;lrau.net. IN SOA

;; UPDATE SECTION:
_acme-challenge.imap.lrau.net. 3600 IN TXT "tR0VhMRfb4v5WsctEgoD3aWNRJ73n2wqn9hlTPE9pA0"

Sending update to ::1#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  41111
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;lrau.net. IN SOA

;; UPDATE SECTION:
_acme-challenge.imap.lrau.net. 3600 IN TXT "tR0VhMRfb4v5WsctEgoD3aWNRJ73n2wqn9hlTPE9pA0"

;; TSIG PSEUDOSECTION:
ddns-key. 0 ANY TSIG hmac-sha256. 1584206515 300 32 . . . 41111 NOERROR 0 


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  41111
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;lrau.net. IN SOA

;; TSIG PSEUDOSECTION:
ddns-key. 0 ANY TSIG hmac-sha256. 1584206515 300 32 . . . 41111 NOERROR 0 

Answer:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  41111
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;lrau.net. IN SOA

;; TSIG PSEUDOSECTION:
ddns-key. 0 ANY TSIG hmac-sha256. 1584206515 300 32 . . . 41111 NOERROR 0 

# dig _acme-challenge.imap.lrau.net.  @localhost

; <<>> DiG 9.16.0 <<>> _acme-challenge.imap.lrau.net. @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6153
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 404b9f34e94920a4ef3dd3065e6d14308acdeabfe0744b88 (good)
;; QUESTION SECTION:

;; AUTHORITY SECTION:
lrau.net. 3600 IN SOA ns4.lrau.net. hostmaster.lrau.net. 2020030850 86400 7200 604800 3600

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sat Mar 14 17:28:16 UTC 2020
;; MSG SIZE  rcvd: 145

(pki_dev_p37) [root@hermes /usr/local/py_venv/pki_dev_p37/src]# 

Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

[RESOLVED] Re: TXT with dot in NAME for ACME via dynamic update (Axel Rau)

Axel Rau


> Am 14.03.2020 um 19:21 schrieb Timothe Litt <[hidden email]>:
>
> dig _acme-challenge.imap.lrau.net.
>
> is missing a record type.  The default is A.
>
>
> dig _acme-challenge.imap.lrau.net. txt
>
> will likely give you better results
>
Natural. (-;

It seems to work:

;; ANSWER SECTION:
_acme-challenge.imap.lrau.net. 3600 IN TXT "mAtCUMOhsZiajcz5v0ae37-8VRlXFZEyd9csm6ARJYQ"
_acme-challenge.imap.lrau.net. 3600 IN TXT "tR0VhMRfb4v5WsctEgoD3aWNRJ73n2wqn9hlTPE9pA0"

Here, I see, what me prevented to run my challenge successfully.
LEs boulder server didn’t like more than 1 RR in the RRSET.
Using 'replace‘ instead of 'add‘ in dnspython update.Update solves my problem.

I was misdirected by update: 0 here:

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id:  35882
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1

Thanks a lot, Chuck and Timothe for your answers,
Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (919 bytes) Download Attachment