<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi John, thanks for replying and your
thoughts! I will intersperse my feedback within your comments -<br>
<br>
On 03/13/2019 08:33 PM, John W. Blue wrote:<br>
</div>
<blockquote type="cite"
cite="mid:d851d676c4de4791b717dbc6dfa253db@mail.rrcic.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Marc,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Regarding
your rndc problem, I think you might be confusing rndc.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">If
rndc is invoked with no options, specifically “k”, then rndc
assumes the key it needs is in the rndc.conf file. If
rndc.conf is not present, rndc will use the default rndc.key
file. That said, since rndc knows there is an /etc/rndc.key
file but it choosing to use rndc.conf is the secret the same
in both places?</span></p>
</div>
</blockquote>
Yes<br>
<blockquote type="cite"
cite="mid:d851d676c4de4791b717dbc6dfa253db@mail.rrcic.com">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">As
an option, instead of including /etc/rndc.key nothing
prevents you from including rndc.conf. That way you are
consistent with your useage.</span></p>
</div>
</blockquote>
I raised an eyebrow at this suggestion thinking oh how cool... but
a quick attempt at including rndc.conf in named.conf lead named to
bellyache about multiple "options" clauses... I will poke at it some
more, as it would be nice to minimize the possibility of getting the
two key definitions out of sync, which is why I tried it from the
other direction using the include statement in rndc.conf...<br>
<blockquote type="cite"
cite="mid:d851d676c4de4791b717dbc6dfa253db@mail.rrcic.com">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
personally do not use nsupdate, but I thought that key file
had to be created by dnssec-keyen and if you opt to use “k”
then the file suffix on the command line had to be
“.private”.</span></p>
</div>
</blockquote>
Actually I did use dnssec-keygen to generate the key file! ;-) To be
precise -<br>
<blockquote type="cite">dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST
letsencrypt</blockquote>
That generates two files, one is a .key and the other is a .private
It doesn't seem to matter which file I use with nsupdate, it seems
happy with either and both files do contain the private key. In any
event, no matter which I choose the persistence issue remains...<br>
<br>
<blockquote type="cite"
cite="mid:d851d676c4de4791b717dbc6dfa253db@mail.rrcic.com">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hope
that helps and good hunting!</span></p>
</div>
</blockquote>
At least you confirmed my thinking so far, great minds think
alike! Marc...<br>
<blockquote type="cite"
cite="mid:d851d676c4de4791b717dbc6dfa253db@mail.rrcic.com">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">John<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext">
bind-users [<a class="moz-txt-link-freetext" href="mailto:bind-users-bounces@lists.isc.org">mailto:bind-users-bounces@lists.isc.org</a>]
<b>On Behalf Of </b>Marc Chamberlin via bind-users<br>
<b>Sent:</b> Wednesday, March 13, 2019 6:02 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<b>Subject:</b> rndc and nsupdate failing to work for me<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Hello Bind Users,<o:p></o:p></p>
<p>I have been working on upgrading my Bind 9.11.2 server
(running on a Linux system, OpenSuSE Leap 15) so that I can
accept DNS challenges/verification from/for LetsEncrypt
certificates, and I am running into a wall trying to get
nsupdate (and rndc which I wanted to use to test the server
with) to work with the server. So I hope some kind guru here
can lead me into the light cuz I am lost....<o:p></o:p></p>
<p>My configuration is really not all that complicated, I am
running the server on a firewall computer that supports other
services such as web and email services also. I have a SOHO
internal network behind the firewall computer. I have
configured the Bind (named) server with the 3 standard views -
localhost.resolver, internal, and external. Since I support a
number of virtual hosts and real hosts I have quit a few zones
defined for each view. For regular queries and things like
zone transfers the server is performing OK.<o:p></o:p></p>
<p>That said I will show what I think are the relevant
definitions from my configuration files, with sensitive info
redacted of course, and follow on with questions I have -<o:p></o:p></p>
<p>named.conf -<o:p></o:p></p>
<p>There is a bunch of stuff at the beginning of this file, but
I think it is irrelevant to this issue. Correct me if I am
wrong and I will be happy to post it...<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">include "/etc/rndc.key"; <br>
controls {<br>
inet * port 953<br>
allow { any; } keys { "rndc-key"; };<br>
};<br>
view "localhost_resolver"<br>
{<br>
match-clients { localhost; };<br>
match-destinations { localhost; };<o:p></o:p></p>
</blockquote>
<p class="MsoNormal">... more stuff here but I don't think it is
relevant<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"> include
"/etc/named.d/local/local_zones.conf";<br>
}<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">view "internal" { <br>
match-clients { 192.168.10.0/24; };<br>
match-destinations { 192.168.10.0/24; };<br>
recursion yes;<o:p></o:p></p>
</blockquote>
<p class="MsoNormal">... more stuff here but I don't think it is
relevant <o:p>
</o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">include
"/etc/named.d/internal/internal_zones.conf";<br>
};<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">view "external" { <br>
match-clients { any; };<br>
match-destinations { any; };<br>
recursion no; <o:p></o:p></p>
</blockquote>
<p class="MsoNormal">... more stuff here but I don't think it is
relevant <o:p>
</o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"> include
"/etc/named.d/external/external_zones.conf";<br>
};<o:p></o:p></p>
</blockquote>
<p>This seems pretty straightforward configuration in
named.conf. The configuration of a zone in the external view
typically looks like this -<o:p></o:p></p>
<p>zone "mydomain.com" in {<br>
file "/etc/named.d/external/master/mydomain.com";<br>
type master;<br>
allow-transfer { "dnsmadeeasy1"; };<br>
also-notify { xx.xxx.xx.xxx; yyy.yyy.yy.yyy;
zzz.zzz.zz.zz; };<br>
allow-query { any; };<br>
allow-update {<br>
key "letsencrypt";<br>
};<br>
};<o:p></o:p></p>
<p>And this is what is in rndc.conf -<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">key "rndc-key" {<br>
algorithm hmac-md5;<br>
secret "secretkeycodehere";<br>
};<br>
options {<br>
default-key "rndc-key";<br>
default-server localserver;<br>
default-port 953;<br>
};<br>
server localserver {<br>
addresses { 127.0.0.1 port 953; };<br>
key "rndc-key"; <br>
};<br>
server intserver {<br>
addresses { 192.168.10.100 port 953; };<br>
key "rndc-key"; <br>
};<br>
server extserver {<br>
addresses { xxx.yyy.zzz.aaa port 953; };<br>
key "rndc-key"; <br>
};<o:p></o:p></p>
</blockquote>
<p>Again, straightforward, and as I said normal queries do
work.... However when I use rndc to poke at it, this is what
happens -<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"># rndc showzone mydomain.com in external<br>
WARNING: key file (/etc/rndc.key) exists, but using default
configuration file (/etc/rndc.conf)<br>
rndc: 'showzone' failed: failure<o:p></o:p></p>
</blockquote>
<p>I don't understand why I am getting the warning, seems like a
so what since the keys are identical in both locations. (I
couldn't figure out if it is possible to use an include
statement instead of the key definition in rndc.conf) As for
the failure when I asked it to do a showzone, I don't have a
clue as to why this is failing. Log files are not helpful (and
neither is this error message for that matter!)<o:p></o:p></p>
<p>I am also experiencing problems with nsupdate in that changes
I make with it are not persistent across a restart of the
named service. To demonstrate this I have a file called
test.txt -<o:p></o:p></p>
<p>debug yes<br>
zone mydomain.com.<br>
update add test.mydomain.com. 86400 TXT "bar" <br>
show<br>
send<o:p></o:p></p>
<p>and if I use it as follows this is what I see -<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"># nsupdate -k
/etc/letsencrypt/james/Kletsencrypt.+165+56715.key -v
./test.txt<o:p></o:p></p>
</blockquote>
<p class="MsoNormal">I get lots of output and no indication of
any problems. Using dig to see if the update indeed works -<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"> # dig +short -t txt test.mydomain.com
"bar"<br>
"bar"<o:p></o:p></p>
</blockquote>
<p>it works, but if I restart the named service, no joy -<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p># systemctl restart named.service<o:p></o:p></p>
<p># dig +short -t txt test.mydomain.com "bar"<o:p></o:p></p>
<p>#<o:p></o:p></p>
<p><o:p> </o:p></p>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
the update is not persistent! Any ideas? Thanks in advance
for helping me resolve these issues. Marc...<o:p></o:p></p>
<p style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">-- <br>
<b>Computers: the final frontier. These are the voyages of
the user Marc.<br>
His mission: to explore strange new hardware. To seek out
new software and new applications.<br>
To boldly go where no Marc has gone before!</b><o:p></o:p></p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
</pre>
</blockquote>
<p><br>
</p>
<div class="moz-signature">-- <br>
<b>Computers: the final frontier. These are the voyages of the
user Marc.<br>
His mission: to explore strange new hardware. To seek out new
software and new applications.<br>
To boldly go where no Marc has gone before!<br>
</b>
</div>
</body>
</html>