nsupdate apparently not working for me. What am I overlooking / doing wrong?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

nsupdate apparently not working for me. What am I overlooking / doing wrong?

Brett Delmage
nsupdate works according to updated contents of a dynamic zonefile
but dig does not report the added A record.

What am I doing stupidly here?

BIND version 1:9.16.5-1+ubuntu18.04.1
- both authoritative and local recursive

zone config:
zone "ottawatch.ca"
         {
         type master;
         file "/var/lib/bind/master/ottawatch.ca";
         allow-transfer { key "pannier-xfer"; };
         notify yes;
         update-policy { grant ddns-key.ottawatch.ca subdomain ottawatch.ca.; };
         };

[do I have the correct update-policy syntax?]
(I also tried "update-policy local" with nsupdate -l, with same results.)


# nsupdate -D -k ddns-key.ottawatch.ca nsupdate.script

nsupdate.script:

server 127.0.0.1
zone ottawatch.ca.
update del ddns-update.ottawatch.ca. a
send
update add ddns-update.ottawatch.ca. 999 a 3.4.5.8
send

zone DB after update and "rndc sync" executed to incorporate .jnl:

$ORIGIN .
$TTL 900        ; 15 minutes
ottawatch.ca            IN SOA  cacloud.ottawatch.ca. hostmaster.ottawatch.ca. (
                                 2020072808 ; serial
                                 900        ; refresh (15 minutes)
                                 180        ; retry (3 minutes)
                                 2419200    ; expire (4 weeks)
                                 900        ; minimum (15 minutes)
                                 )
                         NS      cacloud.ottawatch.ca.
                         NS      pannier.ottawatch.ca.
                         A       206.248.172.47
                         MX      10 mail1.ottawajazzscene.ca.
                         TXT     "v=spf1 a ip4:206.248.172.47 -all"
$ORIGIN ottawatch.ca.
cacloud                 A       23.111.69.176
                         AAAA    2607:7b00:7200:1::281a:5de2
$TTL 999        ; 16 minutes 39 seconds
ddns-update             A       3.4.5.8 <--- nsupdate worked (it seems)
$TTL 900        ; 15 minutes
pannier                 A       206.248.172.47
                         AAAA    2607:f2c0:a000:1d1::73:1



# dig -4 @cacloud.ottawatch.ca cacloud.ottawatch.ca. a

; <<>> DiG 9.16.5-Ubuntu <<>> -4 @cacloud.ottawatch.ca cacloud.ottawatch.ca. a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1862
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 195a1192604da78e010000005f20daf7193b36ec5545d879 (good)
;; QUESTION SECTION:
;cacloud.ottawatch.ca.          IN      A

;; ANSWER SECTION:
cacloud.ottawatch.ca.   900     IN      A       23.111.69.176

;; Query time: 0 msec
;; SERVER: 23.111.69.176#53(23.111.69.176)
;; WHEN: Tue Jul 28 22:12:07 EDT 2020
;; MSG SIZE  rcvd: 93

BUT dig does not report the nsupdate-added a record (NXDOMAIN):

# dig -4 @cacloud.ottawatch.ca ddns-key.ottawatch.ca. a

; <<>> DiG 9.16.5-Ubuntu <<>> -4 @cacloud.ottawatch.ca ddns-key.ottawatch.ca. a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49598
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 6db0ccbd0085ecca010000005f20db0f7cdb769b038236f9 (good)
;; QUESTION SECTION:
;ddns-key.ottawatch.ca.         IN      A

;; AUTHORITY SECTION:
ottawatch.ca.           900     IN      SOA     cacloud.ottawatch.ca. hostmaster.ottawatch.ca. 2020072808 900 180 2419200 900

;; Query time: 0 msec
;; SERVER: 23.111.69.176#53(23.111.69.176)
;; WHEN: Tue Jul 28 22:12:31 EDT 2020
;; MSG SIZE  rcvd: 133


A record added to the dynamic zone file manually works:

dig -4 @cacloud.ottawatch.ca bb.ottawatch.ca. a

; <<>> DiG 9.16.5-Ubuntu <<>> -4 @cacloud.ottawatch.ca bb.ottawatch.ca. a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8033
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 8feed7fd82821e9a010000005f20dc3de1670c37be1dadbc (good)
;; QUESTION SECTION:
;bb.ottawatch.ca.               IN      A

;; ANSWER SECTION:
bb.ottawatch.ca.        900     IN      A       3.4.5.9

;; Query time: 0 msec
;; SERVER: 23.111.69.176#53(23.111.69.176)
;; WHEN: Tue Jul 28 22:17:33 EDT 2020
;; MSG SIZE  rcvd: 88


END OF DETAILS

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: nsupdate apparently not working for me. What am I overlooking / doing wrong?

Mark Andrews
Make sure you are using the CORRECT name in the dig query.  You used
ddns-key.ottawatch.ca instead of ddns-update.ottawatch.ca.

Also you can delete and add in the same UPDATE operation.  Remove the
first “send” in nsupdate.script.

Also ottawatch.ca has DS records but the zone is not signed.  You need
to fix this as lookups are failing for anyone that is validating responses.

ottawatch.ca. 86400 IN DS 63970 8 1 FE95768ADB2B2F9E87B3C6B4210D4C21766A2EC6
ottawatch.ca. 86400 IN DS 63970 8 2 1139FAEF396A03435BD093ACA623306B3307D11163188D4D5143909D 3CEF76EC

Mark

> On 29 Jul 2020, at 12:30, Brett Delmage <[hidden email]> wrote:
>
> nsupdate works according to updated contents of a dynamic zonefile but dig does not report the added A record.
>
> What am I doing stupidly here?
>
> BIND version 1:9.16.5-1+ubuntu18.04.1
> - both authoritative and local recursive
>
> zone config:
> zone "ottawatch.ca"
>        {
>        type master;
>        file "/var/lib/bind/master/ottawatch.ca";
>        allow-transfer { key "pannier-xfer"; };
>        notify yes;
>        update-policy { grant ddns-key.ottawatch.ca subdomain ottawatch.ca.; };
>        };
>
> [do I have the correct update-policy syntax?]
> (I also tried "update-policy local" with nsupdate -l, with same results.)
>
>
> # nsupdate -D -k ddns-key.ottawatch.ca nsupdate.script
>
> nsupdate.script:
>
> server 127.0.0.1
> zone ottawatch.ca.
> update del ddns-update.ottawatch.ca. a
> send
> update add ddns-update.ottawatch.ca. 999 a 3.4.5.8
> send
>
> zone DB after update and "rndc sync" executed to incorporate .jnl:
>
> $ORIGIN .
> $TTL 900        ; 15 minutes
> ottawatch.ca            IN SOA  cacloud.ottawatch.ca. hostmaster.ottawatch.ca. (
>                                2020072808 ; serial
>                                900        ; refresh (15 minutes)
>                                180        ; retry (3 minutes)
>                                2419200    ; expire (4 weeks)
>                                900        ; minimum (15 minutes)
>                                )
>                        NS      cacloud.ottawatch.ca.
>                        NS      pannier.ottawatch.ca.
>                        A       206.248.172.47
>                        MX      10 mail1.ottawajazzscene.ca.
>                        TXT     "v=spf1 a ip4:206.248.172.47 -all"
> $ORIGIN ottawatch.ca.
> cacloud                 A       23.111.69.176
>                        AAAA    2607:7b00:7200:1::281a:5de2
> $TTL 999        ; 16 minutes 39 seconds
> ddns-update             A       3.4.5.8 <--- nsupdate worked (it seems)
> $TTL 900        ; 15 minutes
> pannier                 A       206.248.172.47
>                        AAAA    2607:f2c0:a000:1d1::73:1
>
>
>
> # dig -4 @cacloud.ottawatch.ca cacloud.ottawatch.ca. a
>
> ; <<>> DiG 9.16.5-Ubuntu <<>> -4 @cacloud.ottawatch.ca cacloud.ottawatch.ca. a
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1862
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 195a1192604da78e010000005f20daf7193b36ec5545d879 (good)
> ;; QUESTION SECTION:
> ;cacloud.ottawatch.ca.          IN      A
>
> ;; ANSWER SECTION:
> cacloud.ottawatch.ca.   900     IN      A       23.111.69.176
>
> ;; Query time: 0 msec
> ;; SERVER: 23.111.69.176#53(23.111.69.176)
> ;; WHEN: Tue Jul 28 22:12:07 EDT 2020
> ;; MSG SIZE  rcvd: 93
>
> BUT dig does not report the nsupdate-added a record (NXDOMAIN):
>
> # dig -4 @cacloud.ottawatch.ca ddns-key.ottawatch.ca. a
>
> ; <<>> DiG 9.16.5-Ubuntu <<>> -4 @cacloud.ottawatch.ca ddns-key.ottawatch.ca. a
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49598
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 6db0ccbd0085ecca010000005f20db0f7cdb769b038236f9 (good)
> ;; QUESTION SECTION:
> ;ddns-key.ottawatch.ca.         IN      A
>
> ;; AUTHORITY SECTION:
> ottawatch.ca.           900     IN      SOA     cacloud.ottawatch.ca. hostmaster.ottawatch.ca. 2020072808 900 180 2419200 900
>
> ;; Query time: 0 msec
> ;; SERVER: 23.111.69.176#53(23.111.69.176)
> ;; WHEN: Tue Jul 28 22:12:31 EDT 2020
> ;; MSG SIZE  rcvd: 133
>
>
> A record added to the dynamic zone file manually works:
>
> dig -4 @cacloud.ottawatch.ca bb.ottawatch.ca. a
>
> ; <<>> DiG 9.16.5-Ubuntu <<>> -4 @cacloud.ottawatch.ca bb.ottawatch.ca. a
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8033
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 8feed7fd82821e9a010000005f20dc3de1670c37be1dadbc (good)
> ;; QUESTION SECTION:
> ;bb.ottawatch.ca.               IN      A
>
> ;; ANSWER SECTION:
> bb.ottawatch.ca.        900     IN      A       3.4.5.9
>
> ;; Query time: 0 msec
> ;; SERVER: 23.111.69.176#53(23.111.69.176)
> ;; WHEN: Tue Jul 28 22:17:33 EDT 2020
> ;; MSG SIZE  rcvd: 88
>
>
> END OF DETAILS
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: [hidden email]

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: nsupdate apparently not working for me. What am I overlooking / doing wrong?

Brett Delmage
On Wed, 29 Jul 2020, Mark Andrews wrote:

> Make sure you are using the CORRECT name in the dig query.  You used
> ddns-key.ottawatch.ca instead of ddns-update.ottawatch.ca.

Thanks Mark... so tired I didn't see that when staring at it.
(Blame grass allergies and terrible heat lately.)

> Also you can delete and add in the same UPDATE operation.  Remove the
> first “send” in nsupdate.script.

Yes, thanks for the tip. I did man nsupdate :-) I had
nsupdate debug enabled earlier, so split this it up while testing.

> Also ottawatch.ca has DS records but the zone is not signed.  You need
> to fix this as lookups are failing for anyone that is validating responses.

Again, testing artifact. Domain is actually signed but I disabled that and
took it out of the config to simplify while testing.

Domain is not live for anything now but my kicking around so no harm done
except to eagle eyes like yours who look up DNSSEC chain of trust :-)

Thanks for your second look and premiere response.

Brett

p.s. this Mailman list is slightly misconfigured. I have DKIM signing and
a DMARC policy, so get lots of failure reports when I post to this list.
Any chance you guys could toggle that flag so the list doesn't break DKIM
signing? It's a straight-forward toggle; I use it on Mailman lists I run.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users