Bind9 forward/reverse zones with multiple TSIG keys
ObNox
obnox3 at gmail.com
Tue Jan 29 08:19:47 UTC 2019
Hi,
Following a previous thread (ie: "Selective forwarding?"), I've started
to work on a multi-server configuration within 3 sites consisting of a
primary at Site1 and secondaries at Site2/3. All sites will have DHCP
servers with DDNS enabled. The secondaries will forward the DDNS updates
to the primary. That is the ultimate goal.
For that to work, I need to make sure every separated component works as
expected when configured separately. I'll try to be as exhaustive as
possible to explain what's going on and hopefully, some expert in the
audience will find what I'm doing wrong and/or missed.
Because of historical reasons, Site1 is still using Ubuntu 14.04 and the
future Site2/3 will be using Ubuntu 18.04. There will be an upgrade but
it must happen after Sites2/3 are operational.
Site1 : Bind 9.9.5.dfsg-3ubuntu0.18 (upgradable to 9.10.3.dfsg.P4 max)
Site2/3 : Will be 9.11.3+dfsg-1ubuntu1.3 but does not matter right now
I've setup the most basic configuration with a fake "domain.tld" zone to
play with. The configuration is attached. Yes, there are redundancies
with the ACL lists but this is a sandbox and it tries to mimic the final
configuration which will be a bit more complex of course.
The "_key_dhcp" and "_key_domain_tld" files are shaped exactly as
"rndc-key" and were generated with the same "rndc-confgen" tool.
The zones files are in their simplest form with minimal data to play with.
So, here we go :
With this configuration, everything works as expected, I can query the
forward and reverse records without problem.
From another host, I try an AXFR :
# dig @10.3.13.53 domain.tld axfr
; <<>> DiG 9.9.5-3ubuntu0.18-Ubuntu <<>> @10.3.13.53 domain.tld axfr
; (1 server found)
;; global options: +cmd
; Transfer failed.
Good! Not allowed by default.
# dig @10.3.13.53 domain.tld axfr -k /path/to/_key_domain_tld
; <<>> DiG 9.9.5-3ubuntu0.18-Ubuntu <<>> @10.3.13.53 domain.tld axfr -k
/etc/bind/_key_domain_tld
; (1 server found)
;; global options: +cmd
domain.tld. 604800 IN SOA dns1.domain.tld.
root.domain.tld. 2019012901 86400 86400 172800 172800
domain.tld. 604800 IN NS dns1.domain.tld.
domain.tld. 604800 IN A 10.3.13.53
desk.domain.tld. 604800 IN A 10.3.13.1
dns1.domain.tld. 604800 IN A 10.3.13.53
gw.domain.tld. 604800 IN A 10.3.13.254
domain.tld. 604800 IN SOA dns1.domain.tld.
root.domain.tld. 2019012901 86400 86400 172800 172800
key-domain.tld. 0 ANY TSIG
hmac-md5.sig-alg.reg.int. 1548745164 300 16 UmYQnMNceR1jIbUufch7Rg==
14158 NOERROR 0
;; Query time: 0 msec
;; SERVER: 10.3.13.53#53(10.3.13.53)
;; WHEN: Tue Jan 29 07:59:24 CET 2019
;; XFR size: 7 records (messages 1, bytes 280)
Perfect! With the correct key, it works.
Now, the trouble really begins :
1/ I update the zones files to uncomment the "test" record and update
the serial number
2/ I update "named.conf" to uncomment the "allow-update" statement using
"key-dhcp"
3/ "named-checkconf" does not complain so "rndc reload"!
Problem : The syslog messages don't show the lines indicating that the
zones have been reloaded, here's an extract :
Jan 29 08:12:43 dns53 named[3075]: received control channel command 'reload'
Jan 29 08:12:43 dns53 named[3075]: loading configuration from
'/etc/bind/named.conf'
Jan 29 08:12:43 dns53 named[3075]: reading built-in trusted keys from
file '/etc/bind/bind.keys'
Jan 29 08:12:43 dns53 named[3075]: using default UDP/IPv4 port range:
[1024, 65535]
Jan 29 08:12:43 dns53 named[3075]: using default UDP/IPv6 port range:
[1024, 65535]
Jan 29 08:12:43 dns53 named[3075]: sizing zone task pool based on 7 zones
Jan 29 08:12:43 dns53 named[3075]: automatic empty zone: view LAN:
10.IN-ADDR.ARPA
Jan 29 08:12:43 dns53 named[3075]: automatic empty zone: view LAN:
16.172.IN-ADDR.ARPA
Jan 29 08:12:43 dns53 named[3075]: automatic empty zone: view LAN:
17.172.IN-ADDR.ARPA
[...]
Jan 29 08:12:43 dns53 named[3075]: automatic empty zone: view LAN:
9.E.F.IP6.ARPA
Jan 29 08:12:43 dns53 named[3075]: automatic empty zone: view LAN:
A.E.F.IP6.ARPA
Jan 29 08:12:43 dns53 named[3075]: automatic empty zone: view LAN:
B.E.F.IP6.ARPA
Jan 29 08:12:43 dns53 named[3075]: automatic empty zone: view LAN:
8.B.D.0.1.0.0.2.IP6.ARPA
Jan 29 08:12:43 dns53 named[3075]: reloading configuration succeeded
Jan 29 08:12:43 dns53 named[3075]: reloading zones succeeded
Jan 29 08:12:43 dns53 named[3075]: all zones loaded
Jan 29 08:12:43 dns53 named[3075]: running
I was expecting the usual messages after a zone change, like previously:
Jan 29 07:48:23 dns53 named[2684]: reloading configuration succeeded
Jan 29 07:48:23 dns53 named[2684]: reloading zones succeeded
Jan 29 07:48:23 dns53 named[2684]: zone 13.3.10.in-addr.arpa/IN/LAN:
loaded serial 2019012902
Jan 29 07:48:23 dns53 named[2684]: zone domain.tld/IN/LAN: loaded serial
2019012902
Jan 29 07:48:23 dns53 named[2684]: all zones loaded
Jan 29 07:48:23 dns53 named[2684]: running
So now, with the new "allow-update" statement, the zones are not
reloaded and this is confirmed by "dig" :
# dig @10.3.13.53 test.domain.tld
; <<>> DiG 9.9.5-3ubuntu0.18-Ubuntu <<>> @10.3.13.53 test.domain.tld
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3395
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.domain.tld. IN A
;; AUTHORITY SECTION:
domain.tld. 172800 IN SOA dns1.domain.tld.
root.domain.tld. 2019012901 86400 86400 172800 172800
;; Query time: 0 msec
;; SERVER: 10.3.13.53#53(10.3.13.53)
;; WHEN: Tue Jan 29 08:12:54 CET 2019
;; MSG SIZE rcvd: 90
The new record "test.domain.tld" is not found and the serial is not the
new one!
I've tested dozens of combinations with both "allow-transfer" and
"allow-update" by putting them at the "view" level, "options" level,
"global" level, etc. and nothing changed.
The directoty "/etc/bind" and its contents seem in good shape :
# ls -lA -d /etc/bind
drwxr-sr-x 3 root bind 4096 Jan 29 08:04 /etc/bind
# ls -lA /etc/bind
total 68
-rw-r--r-- 1 root root 3954 Sep 19 15:15 bind.keys
drwxrwsr-x 2 root bind 4096 Jan 29 07:55 data
-rw-r--r-- 1 root root 237 Sep 19 15:15 db.0
-rw-r--r-- 1 root root 271 Sep 19 15:15 db.127
-rw-r--r-- 1 root root 237 Sep 19 15:15 db.255
-rw-r--r-- 1 root root 353 Sep 19 15:15 db.empty
-rw-r--r-- 1 root root 270 Sep 19 15:15 db.local
-rw-r--r-- 1 root root 3048 Sep 19 15:15 db.root
-rw-r--r-- 1 root bind 83 Jan 29 07:32 _key_dhcp
-rw-r--r-- 1 root bind 83 Jan 29 07:25 _key_domain_tld
-rw-r--r-- 1 root bind 1565 Jan 29 07:55 named.conf
-rw-r--r-- 1 root bind 490 Sep 19 15:15 named.conf.default-zones
-rw-r--r-- 1 root bind 165 Sep 19 15:15 named.conf.local
-rw-r--r-- 1 root bind 890 Jan 28 10:19 named.conf.options
-rw-r--r-- 1 root bind 463 Sep 19 15:15 named.conf_ORIG
-rw-r----- 1 bind bind 77 Jan 28 10:19 rndc.key
-rw-r--r-- 1 root root 1317 Sep 19 15:15 zones.rfc1918
# ls -lA /etc/bind/data/
total 8
-rw-rw-r-- 1 root bind 632 Jan 29 07:55 _domain.tld.rev
-rw-rw-r-- 1 root bind 688 Jan 29 07:55 _domain.tld.zone
So for now I'm lost and I need an expert's PoV to point what I'm doing
wrong and/or what I missed!
Sorry for the very long message but I guess the more thorough I'll be,
the more effective everybody will be :-)
Thank you for any useful clue.
--
ObNox
-------------- next part --------------
# ACL
acl acl_ThisHost {
127.0.0.1;
10.3.13.53;
};
acl acl_Listeners {
127.0.0.1;
10.3.13.53;
};
acl acl_LAN {
10.3.13.0/24;
};
acl acl_Secondary {
10.3.13.153;
};
# Options
options {
directory "/var/cache/bind";
listen-on {
acl_Listeners;
};
};
# Controls
key "rndc-key" {
algorithm hmac-md5;
secret "lIsLwDjPIbtv3yHg7wM7Hw==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
include "/etc/bind/_key_dhcp";
include "/etc/bind/_key_domain_tld";
# Views
view "LAN" {
match-clients {
acl_ThisHost;
acl_LAN;
acl_Secondary;
};
allow-query {
acl_ThisHost;
acl_LAN;
acl_Secondary;
};
recursion yes;
zone "domain.tld" {
type master;
file "/etc/bind/data/_domain.tld.zone";
allow-transfer {
key "key-domain.tld";
};
#allow-update {
# key "key-dhcp";
#};
};
zone "13.3.10.in-addr.arpa" {
type master;
file "/etc/bind/data/_domain.tld.rev";
allow-transfer {
key "key-domain.tld";
};
#allow-update {
# key "key-dhcp";
#};
};
# Default
include "/etc/bind/named.conf.default-zones";
};
-------------- next part --------------
;# Reverse zone: domain.tld
$TTL 604800
@ SOA dns1.domain.tld. dnsmaster.domain.tld. (
2019012901 ; Serial
1H ; Refresh
1H ; Retry
1D ; Expire
1D ) ; Negative Cache TTL
@ NS dns1.domain.tld.
254 PTR gw.domain.tld.
1 PTR desk.domain.tld.
;2 PTR test.domain.tld.
-------------- next part --------------
;# Forward zone : domain.tld
$TTL 604800
@ SOA dns1.domain.tld. root.domain.tld. (
2019012901 ; Serial
1D ; Refresh
1D ; Retry
2D ; Expire
2D ) ; Negative Cache TTL
@ NS dns1.domain.tld.
@ A 10.3.13.53
dns1 A 10.3.13.53
gw A 10.3.13.254
desk A 10.3.13.1
;test A 10.3.13.2
More information about the bind-users
mailing list