Mailinglist Archive: opensuse (389 mails)

< Previous Next >
[opensuse] Why are nsupdate changes not persistent?
Hi - This has been a difficult journey but I believe I have now
configured my bind (named) service to accept updates using nsupdate to
one of my zones. It seems to be working but when I restart the
named.service the updates I made using nsupdate do not persist. I will
try to show as much info as I can and hopefully some nice guru will tell
me what I need to do to get these changes to persist (sensitive info
redacted of course). I am running under OpenSuSE Leap 15.0  My named
service is configured to run split brained with 3 views -
localhost.resolver, internal, and external. I have a zone for
example.com, defined in all 3 views.

This first thing I did was create a new TSIG (Transaction SIGnature) key -


cd /etc/letsencrypt
dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST letsencrypt

Next I extracted the key from the created .key file and added a key
definition in named.conf -

key "letsencrypt" {
  algorithm hmac-sha512;
  secret "xxxxxxxxxxxxxxxxxxxxxxxxxxx...";
}

In each of the zone configuration files I set up the zone for
example.com as follows -

local_zones.conf -

zone "example.com" in {
    file "/etc/named.d/local/master/example.com";
    type master;
    allow-transfer { none; };
        allow-update {
           key "letsencrypt";
        };
};

external_zones.conf -

zone "example.com" in {   
    type master;
    allow-transfer { "aclID"; };
    also-notify { xxx.xxx.xxx.xxx;  yyy.yyy.yyy.yyy};
        file "/etc/named.d/external/master/example.com";
        allow-query { any; };
        allow-update {
           key "letsencrypt";
        };
};

internal_zones.conf -

zone "example.com" in {
    file "/etc/named.d/internal/master/example.com";
    type master;
    allow-transfer { none; };
        allow-query { any; };
        allow-update {
           key "letsencrypt";
        };
};

To test nsupdate I created a file called test.txt shown below,
ns1.example.com will access my named service via the external interface -

cat test.txt
server ns1.example.com
debug yes
zone example.com.
update add foo.example.com. 86400 TXT "bar"
show
send

With this setup I tested the update process as follows -

systemctl restart named.service

nsupdate -k /etc/letsencrypt/Kletsencrypt.+165+56715.key -v ./test.txt
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;example.com.          IN      SOA

;; UPDATE SECTION:
foo.example.com. 86400 IN      TXT     "bar"

Sending update to xxx.xxx.xxx.xxxx#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  36698
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;example.com.          IN      SOA

;; UPDATE SECTION:
foo.example.com. 86400 IN      TXT     "bar"

;; TSIG PSEUDOSECTION:
letsencrypt.            0       ANY     TSIG    hmac-sha512.
REDACTED_KEY 36698 NOERROR 0


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  36698
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;example.com.          IN      SOA

;; TSIG PSEUDOSECTION:
letsencrypt.            0       ANY     TSIG    hmac-sha512.
REDACTED_KEY 36698 NOERROR 0


and using dig demonstrates that indeed the new TXT record was added -

dig +short -t txt foo.example.com "bar"
"bar"

So I know that at least the update was recorded in the bind journal
file. But if/when I restart the named.service I discover that the update
was not persisted back into the configuration for example.com -

systemctl restart named.service

dig +short -t txt foo.example.com "bar"



Dig returns nothing, nada...  I don't think it is a permissions issue
that is causing the failure to persist the update either, all the
/etc/named.d files and subdirectories have ownership set to "root:named"
and both "root" and the group "named" have rw permissions. The
named.service is running under the system user - "named" and that system
user belongs in the system group "named". I am not finding anything in
the log files either that gives me a clue as to why the persistence is
not occurring but I suspect there is something going on when the
named.service is stopped causing it's journal to not be written back
into the example.com domain configuration files. I am by no means an
expert on systemd and reached the limits of my ability to grok why
nsupdate changes are not being persisted. Any kind suggestions from the
gurus will be much appreciated! ;-)

     Marc..


--
*Computers: the final frontier. These are the voyages of the user Marc.
His mission: to explore strange new hardware. To seek out new software
and new applications.
To boldly go where no Marc has gone before!
*

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >