Cannot get nsupdate to work (for letsencrypt acme.sh client)
Mark Andrews
marka at isc.org
Wed Aug 5 00:33:26 UTC 2020
Thanks for full details.
Your key name usage is not consistent. acmesh-ottawatch != ottawatch-acmesh
Why are you adding `check-names warn;`? check-names does NOT apply to TXT
records.
Mark
> On 5 Aug 2020, at 08:44, Brett Delmage <Brett at BrettDelmage.ca> wrote:
>
> I'm having a problem getting nsupdate to work, as shown below.
>
> (Despite reading the man pages I'm not 100% clear about the exact scope of the grant options and it may not be right. Examples would be helpful.)
>
> I generated the key:
>
> ddns-confgen -k acmesh-ottawatch. -z ottawatch.ca
> # To activate this key, place the following in named.conf, and
> # in a separate keyfile on the system or systems from which nsupdate
> # will be run:
> key "acmesh-ottawatch." {
> algorithm hmac-sha256;
> secret <deleted>;
> };
>
> - this is included in my named.conf
> My config file zone entry has the statements
>
> check-names warn;
> update-policy { grant ottawatch-acmesh. name _acme-challenge.ottawatch.ca. txt; };
> to permit the update and limit the scope.
>
> As I understand, I need check-names (warn | ignore) because _acme-challenge has an underscore. (How the heck did LE come up with an incompatible name?)
>
>
> Here's my nsupdate script:
> # cat test-acme
>
> server cacloud.ottawatch.ca
> zone ottawatch.ca
> debug
> update add _acme-challenge.ottawatch.ca. 999 TXT "test 1"
> send
>
>
> # nsupdate -k acmesh-ottawatch.ca test-acme
>
> Sending update to 2607:7b00:7200:1::281a:5de2#53
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 42504
> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
> ;; ZONE SECTION:
> ;ottawatch.ca. IN SOA
>
> ;; UPDATE SECTION:
> _acme-challenge.ottawatch.ca. 999 IN TXT "test 1"
>
> ;; TSIG PSEUDOSECTION:
> acmesh-ottawatch. 0 ANY TSIG hmac-sha256. 1596580550 300 32 966kN1nqxXRP+smNYmqpGKUIepEV0gkuOVz42ywCY0g= 42504 NOERROR 0
>
>
> Reply from update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 42504
> ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
> ;; ZONE SECTION:
> ;ottawatch.ca. IN SOA
>
> ;; TSIG PSEUDOSECTION:
> acmesh-ottawatch. 0 ANY TSIG hmac-sha256. 1596580550 300 32 eqUVlwgfwGnW0B7UX+WaB4mgqMgh9Aia/YauLRLa054= 42504 NOERROR 0
>
> Sending update to 2607:7b00:7200:1::281a:5de2#53
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 32884
> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
> ;; ZONE SECTION:
> ;ottawatch.ca. IN SOA
>
> ;; TSIG PSEUDOSECTION:
> acmesh-ottawatch. 0 ANY TSIG hmac-sha256. 1596580550 300 32 M+Lr8IckyEVknrX+jHoDQYFrlGxzyQ/PYHX9WwpNBZw= 32884 NOERROR 0
>
>
>
> # dig _acme-challenge.ottawatch.ca. txt
> - the TXT RR has not been added
>
> ; <<>> DiG 9.16.5-Ubuntu <<>> _acme-challenge.ottawatch.ca. txt
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45640
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: f735fda5ecb94793010000005f29e1bed617055d59cb5d75 (good)
> ;; QUESTION SECTION:
> ;_acme-challenge.ottawatch.ca. IN TXT
>
> ;; AUTHORITY SECTION:
> ottawatch.ca. 900 IN SOA cacloud.ottawatch.ca. hostmaster.ottawatch.ca. 2020072912 900 180 2419200 900
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Aug 04 18:31:26 EDT 2020
> ;; MSG SIZE rcvd: 140
>
>
> What am I missing ort doing wrong, please?
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list