'succesful' nsupdate of remote server not persistent across nameserver restart?

/dev/rob0 rob0 at gmx.co.uk
Sun Apr 24 22:25:41 UTC 2016


On Sun, Apr 24, 2016 at 12:04:15PM -0700, jasonsu at mail-central.com wrote:
> I'm doing an nsupdate to a remote server from my desktop
> 
> 	cat nsupdate.txt
> 	 server ns01.example.com
> 	 debug yes
> 	 zone example.net.
> 	 update add test.example.net. 500 in TXT "TEST STRING"
> 	 show
> 	 send
> 
> 	nsupdate -k ./jason-key ./nsupdate.txt
> 
> On the nameserver, logs show what appears to be 'success',
> 
> 	Apr 24 11:47:07 ns01 named[23053]: 24-Apr-2016 11:47:07.949 update-security: info: client 10.0.0.17#4218/key jason-key: view internal: signer "jason-key" approved
> 	Apr 24 11:47:08 ns01 named[23053]: 24-Apr-2016 11:47:07.949 update: info: client 10.0.0.17#4218/key jason-key: view internal: updating zone 'example.net/IN': adding an RR at 'test.example.net' TXT "TEST STRING"
> 
> checking with dig, it's NOT in 'TXT' where I expected it
> 
> 	dig TXT example.net +short
> 		(empty)

As Anand pointed out, you were wrong to expect it there.  That's a 
part of the mystery solved.

> instead it's in 'AXFR'
> 
> 	dig AXFR example.net
> 
> 	; <<>> DiG 9.10.3-P4 <<>> AXFR example.net
> 		;; global options: +cmd
> 		example.net.             5       IN      SOA     ns01.example.com. ns-admin.example.com. 1461435298 7200 1800 604800 5

SOA serial is 1461435298 here ...

> 		example.net.             5       IN      NS      ns01.example.com.
> 		example.net.             5       IN      A       127.0.0.1
> 		test.example.net. 500 IN      TXT     "TEST STRING"
> 		example.net.             5       IN      SOA     ns01.example.com. ns-admin.example.com. 1461435298 7200 1800 604800 5
> 		;; Query time: 1 msec
> 		;; SERVER: 10.0.0.53#53(10.0.0.53)
> 		;; WHEN: Sun Apr 24 11:48:58 PDT 2016
> 		;; XFR size: 5 records (messages 1, bytes 213)
> 
> The journal HAS been modified
> 
> 	cd <named chroot>
> 	grep -rlni acme .
> 		./namedb/master/internal.example.net.zone.jnl
> 
> After a bind restart, which iiuc is supposed to flush the journal to files,

Yes it will, but this is not necessary.

> 	systemctl stop  named.service
> 	systemctl start named.service

(My guess is that the problem occurs here.  What did systemctl do?)

> checking with dig, the update's missing
> 
> 	dig AXFR example.net
> 
> 		; <<>> DiG 9.10.3-P4 <<>> AXFR example.net
> 		;; global options: +cmd
> 		example.net.             5       IN      SOA     ns01.example.com. ns-admin.example.com. 1461435297 7200 1800 604800 5

1461435298 has been reduced to 1461435297, as if the update had never 
happened.

> 		example.net.             5       IN      NS      ns01.example.com.
> 		example.net.             5       IN      A       127.0.0.1
> 		example.net.             5       IN      SOA     ns01.example.com. ns-admin.example.com. 1461435297 7200 1800 604800 5

Another problem with this zone is that the single NS host 
"ns01.example.com." has no A/AAAA records.  This zone would not pass 
named-checkzone, which interestingly, is the same code which named 
itself uses when initially loading a zone.

> 		;; Query time: 2829 msec
> 		;; SERVER: 10.0.0.53#53(10.0.0.53)
> 		;; WHEN: Sun Apr 24 11:52:32 PDT 2016
> 		;; XFR size: 4 records (messages 1, bytes 178)
> 
> 	cd <named chroot>
> 	grep -rlni acme .
> 		(empty)
> 
> What am I failing to do to make this update persistent across flush/restart, as intended?

What is deleting your journal?  It's not named doing that.

Why was the journal not written to the zone file on exit?  That's 
something named DOES do.

The smoking gun is in the hand of systemctl ...
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:


More information about the bind-users mailing list