setting up bind to work with nsupdate (SERVFAIL)
- by funny_ha_ha
I'm trying to update my DNS-Server dynamically using nsupdate.
Prerequisite
I'm using Debian 6 on my DNS-Server and Debian 4 on my client.
I created a public/private key pair using:
dnssec-keygen -C -a HMAC-MD5 -b 512 -n USER sub.example.com.
I then edited my named.conf.local to contain my public key and the new zone i wish to update. It now looks like this (note: I also tried allow-update { any; }; without success):
zone "example.com" {
type master;
file "/etc/bind/primary/example.com";
notify yes;
allow-update { none; };
allow-query { any; };
};
zone "sub.example.com" {
type master;
file "/etc/bind/primary/sub.example.com";
notify yes;
allow-update { key "sub.example.com."; };
allow-query { any; };
};
key sub.example.com. {
algorithm HMAC-MD5;
secret "xxxx xxxx";
};
Next, I copied the private key file (key.private) to another server I want to update the zone from. I also created a textfile (update) on this server which contained the update information (note: I tried toying around with this stuff too. no success):
server example.com
zone sub.example.com
update add sub.example.com. 86400 A 10.10.10.1
show
send
Now I'm trying to update the zone using:
nsupdate -k key.private -v update
The Problem
Said command gives me the following output:
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags: ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;sub.example.com. IN SOA
;; UPDATE SECTION:
sub.example.com. 86400 IN A 10.10.10.1
update failed: SERVFAIL
named debug Level 3 gives me the following information when I issue the nsupdate command on the remote server (note: I obfuscated the client IP):
06-Aug-2012 14:51:33.977 client X.X.X.X#33182: new TCP connection
06-Aug-2012 14:51:33.977 client X.X.X.X#33182: replace
06-Aug-2012 14:51:33.978 clientmgr @0x2ada3c7ee760: createclients
06-Aug-2012 14:51:33.978 clientmgr @0x2ada3c7ee760: recycle
06-Aug-2012 14:51:33.978 client @0x2ada475f1120: accept
06-Aug-2012 14:51:33.978 client X.X.X.X#33182: read
06-Aug-2012 14:51:33.978 client X.X.X.X#33182: TCP request
06-Aug-2012 14:51:33.978 client X.X.X.X#33182: request has valid signature
06-Aug-2012 14:51:33.978 client X.X.X.X#33182: recursion not available
06-Aug-2012 14:51:33.978 client X.X.X.X#33182: update
06-Aug-2012 14:51:33.978 client X.X.X.X#33182: send
06-Aug-2012 14:51:33.978 client X.X.X.X#33182: sendto
06-Aug-2012 14:51:33.979 client X.X.X.X#33182: senddone
06-Aug-2012 14:51:33.979 client X.X.X.X#33182: next
06-Aug-2012 14:51:33.979 client X.X.X.X#33182: endrequest
06-Aug-2012 14:51:33.979 client X.X.X.X#33182: read
06-Aug-2012 14:51:33.986 client X.X.X.X#33182: next
06-Aug-2012 14:51:33.986 client X.X.X.X#33182: request failed: end of file
06-Aug-2012 14:51:33.986 client X.X.X.X#33182: endrequest
06-Aug-2012 14:51:33.986 client X.X.X.X#33182: closetcp
But it doesn't do anything. The zone isn't updated, nor does my nsupdate change anything. I'm not sure if the file /etc/bind/primary/sub.example.com should exist prior to the first update or not. I tried it without the file, with an empty file and with a pre-configured zone file. Without success.
The sparse information I found on the net pointed me towards file and folder permissions regarding the bind working directory, so I changed the permissions of both /etc/bind and /var/cache/bind (which is the home dir of my "bind" user).
I'm not a 100% sure if the permissions are correct.. but it looks good to me:
ls -lah /var/cache/bind/
total 224K
drwxrwxr-x 2 bind bind 4.0K Aug 6 03:13 .
drwxr-xr-x 12 root root 4.0K Jul 21 11:27 ..
-rw-r--r-- 1 bind bind 211K Aug 6 03:21 named.run
ls -lah /etc/bind/
total 72K
drwxr-sr-x 3 bind bind 4.0K Aug 6 14:41 .
drwxr-xr-x 87 root root 4.0K Jul 30 01:24 ..
-rw------- 1 bind bind 125 Aug 6 02:54 key.public
-rw------- 1 bind bind 156 Aug 6 02:54 key.private
-rw-r--r-- 1 bind bind 2.5K Aug 6 03:07 bind.keys
-rw-r--r-- 1 bind bind 237 Aug 6 03:07 db.0
-rw-r--r-- 1 bind bind 271 Aug 6 03:07 db.127
-rw-r--r-- 1 bind bind 237 Aug 6 03:07 db.255
-rw-r--r-- 1 bind bind 353 Aug 6 03:07 db.empty
-rw-r--r-- 1 bind bind 270 Aug 6 03:07 db.local
-rw-r--r-- 1 bind bind 3.0K Aug 6 03:07 db.root
-rw-r--r-- 1 bind bind 493 Aug 6 03:32 named.conf
-rw-r--r-- 1 bind bind 490 Aug 6 03:07 named.conf.default-zones
-rw-r--r-- 1 bind bind 1.2K Aug 6 14:18 named.conf.local
-rw-r--r-- 1 bind bind 666 Jul 29 22:51 named.conf.options
drwxr-sr-x 2 bind bind 4.0K Aug 6 03:57 primary/
-rw-r----- 1 root bind 77 Mar 19 02:57 rndc.key
-rw-r--r-- 1 bind bind 1.3K Aug 6 03:07 zones.rfc1918
ls -lah /etc/bind/primary/
total 20K
drwxr-sr-x 2 bind bind 4.0K Aug 6 03:57 .
drwxr-sr-x 3 bind bind 4.0K Aug 6 14:41 ..
-rw-r--r-- 1 bind bind 356 Jul 30 00:45 example.com