Cannot get nsupdate to work (for letsencrypt acme.sh client)

Brett Delmage Brett at BrettDelmage.ca
Tue Aug 4 22:44:56 UTC 2020


I'm having a problem getting nsupdate to work, as shown below.

(Despite reading the man pages I'm not 100% clear about the exact scope of 
the grant options and it may not be right. Examples would be helpful.)

I generated the key:

ddns-confgen -k acmesh-ottawatch. -z ottawatch.ca
# To activate this key, place the following in named.conf, and
# in a separate keyfile on the system or systems from which nsupdate
# will be run:
key "acmesh-ottawatch." {
         algorithm hmac-sha256;
         secret <deleted>;
};

- this is included in my named.conf
My config file zone entry has the statements

check-names warn;
update-policy {  grant ottawatch-acmesh. name _acme-challenge.ottawatch.ca. txt;  };
to permit the update and limit the scope.

As I understand, I need check-names (warn | ignore) because 
_acme-challenge has an underscore. (How the heck did LE come up with an 
incompatible name?)


Here's my nsupdate script:
# cat test-acme

server cacloud.ottawatch.ca
zone ottawatch.ca
debug
update add _acme-challenge.ottawatch.ca. 999 TXT "test 1"
send


# nsupdate -k acmesh-ottawatch.ca test-acme

Sending update to 2607:7b00:7200:1::281a:5de2#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  42504
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;ottawatch.ca.                  IN      SOA

;; UPDATE SECTION:
_acme-challenge.ottawatch.ca. 999 IN    TXT     "test 1"

;; TSIG PSEUDOSECTION:
acmesh-ottawatch.       0       ANY     TSIG    hmac-sha256. 1596580550 
300 32 966kN1nqxXRP+smNYmqpGKUIepEV0gkuOVz42ywCY0g= 42504 NOERROR 0


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:  42504
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;ottawatch.ca.                  IN      SOA

;; TSIG PSEUDOSECTION:
acmesh-ottawatch.       0       ANY     TSIG    hmac-sha256. 1596580550 
300 32 eqUVlwgfwGnW0B7UX+WaB4mgqMgh9Aia/YauLRLa054= 42504 NOERROR 0

Sending update to 2607:7b00:7200:1::281a:5de2#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  32884
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;ottawatch.ca.                  IN      SOA

;; TSIG PSEUDOSECTION:
acmesh-ottawatch.       0       ANY     TSIG    hmac-sha256. 1596580550 
300 32 M+Lr8IckyEVknrX+jHoDQYFrlGxzyQ/PYHX9WwpNBZw= 32884 NOERROR 0



# dig _acme-challenge.ottawatch.ca. txt
- the TXT RR has not been added

; <<>> DiG 9.16.5-Ubuntu <<>> _acme-challenge.ottawatch.ca. txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45640
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: f735fda5ecb94793010000005f29e1bed617055d59cb5d75 (good)
;; QUESTION SECTION:
;_acme-challenge.ottawatch.ca.  IN      TXT

;; AUTHORITY SECTION:
ottawatch.ca.           900     IN      SOA     cacloud.ottawatch.ca. 
hostmaster.ottawatch.ca. 2020072912 900 180 2419200 900

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Aug 04 18:31:26 EDT 2020
;; MSG SIZE  rcvd: 140


What am I missing ort doing wrong, please?


More information about the bind-users mailing list