<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hello Bind Users,</p>
<p>I have been working on upgrading my Bind 9.11.2 server (running
on a Linux system, OpenSuSE Leap 15) so that I can accept DNS
challenges/verification from/for LetsEncrypt certificates, and I
am running into a wall trying to get nsupdate (and rndc which I
wanted to use to test the server with) to work with the server. So
I hope some kind guru here can lead me into the light cuz I am
lost....</p>
<p>My configuration is really not all that complicated, I am running
the server on a firewall computer that supports other services
such as web and email services also. I have a SOHO internal
network behind the firewall computer. I have configured the Bind
(named) server with the 3 standard views - localhost.resolver,
internal, and external. Since I support a number of virtual hosts
and real hosts I have quit a few zones defined for each view. For
regular queries and things like zone transfers the server is
performing OK.</p>
<p>That said I will show what I think are the relevant definitions
from my configuration files, with sensitive info redacted of
course, and follow on with questions I have -</p>
<p>named.conf -<br>
</p>
<p>There is a bunch of stuff at the beginning of this file, but I
think it is irrelevant to this issue. Correct me if I am wrong and
I will be happy to post it...<br>
</p>
<p>
<blockquote type="cite">include "/etc/rndc.key"; <br>
controls {<br>
inet * port 953<br>
allow { any; } keys { "rndc-key"; };<br>
};<br>
view "localhost_resolver"<br>
{<br>
match-clients { localhost; };<br>
match-destinations { localhost; };</blockquote>
... more stuff here but I don't think it is relevant<br>
<blockquote type="cite">
include "/etc/named.d/local/local_zones.conf";<br>
}<br>
</blockquote>
<blockquote type="cite">view "internal" { <br>
match-clients { 192.168.10.0/24; };<br>
match-destinations { 192.168.10.0/24; };<br>
recursion yes;<br>
</blockquote>
... more stuff here but I don't think it is relevant <br>
</p>
<p>
<blockquote type="cite">include
"/etc/named.d/internal/internal_zones.conf";<br>
};<br>
</blockquote>
</p>
<p>
<blockquote type="cite">view "external" { <br>
match-clients { any; };<br>
match-destinations { any; };<br>
recursion no;
</blockquote>
... more stuff here but I don't think it is relevant </p>
<p>
<blockquote type="cite"> include
"/etc/named.d/external/external_zones.conf";<br>
};<br>
</blockquote>
</p>
<p>This seems pretty straightforward configuration in named.conf.
The configuration of a zone in the external view typically looks
like this -</p>
<p>zone "mydomain.com" in {<br>
file "/etc/named.d/external/master/mydomain.com";<br>
type master;<br>
allow-transfer { "dnsmadeeasy1"; };<br>
also-notify { xx.xxx.xx.xxx; yyy.yyy.yy.yyy; zzz.zzz.zz.zz; };<br>
allow-query { any; };<br>
allow-update {<br>
key "letsencrypt";<br>
};<br>
};</p>
<p>And this is what is in rndc.conf -</p>
<p>
<blockquote type="cite">key "rndc-key" {<br>
algorithm hmac-md5;<br>
secret "secretkeycodehere";<br>
};<br>
options {<br>
default-key "rndc-key";<br>
default-server localserver;<br>
default-port 953;<br>
};<br>
server localserver {<br>
addresses { 127.0.0.1 port 953; };<br>
key "rndc-key"; <br>
};<br>
server intserver {<br>
addresses { 192.168.10.100 port 953; };<br>
key "rndc-key"; <br>
};<br>
server extserver {<br>
addresses { xxx.yyy.zzz.aaa port 953; };<br>
key "rndc-key"; <br>
};</blockquote>
</p>
<p>Again, straightforward, and as I said normal queries do work....
However when I use rndc to poke at it, this is what happens -</p>
<p>
<blockquote type="cite"># rndc showzone mydomain.com in external<br>
WARNING: key file (/etc/rndc.key) exists, but using default
configuration file (/etc/rndc.conf)<br>
rndc: 'showzone' failed: failure<br>
</blockquote>
</p>
<p>I don't understand why I am getting the warning, seems like a so
what since the keys are identical in both locations. (I couldn't
figure out if it is possible to use an include statement instead
of the key definition in rndc.conf) As for the failure when I
asked it to do a showzone, I don't have a clue as to why this is
failing. Log files are not helpful (and neither is this error
message for that matter!)</p>
<p>I am also experiencing problems with nsupdate in that changes I
make with it are not persistent across a restart of the named
service. To demonstrate this I have a file called test.txt -</p>
<p> debug yes<br>
zone mydomain.com.<br>
update add test.mydomain.com. 86400 TXT "bar" <br>
show<br>
send<br>
</p>
<p>and if I use it as follows this is what I see -</p>
<p>
<blockquote type="cite"># nsupdate -k
/etc/letsencrypt/james/Kletsencrypt.+165+56715.key -v ./test.txt<br>
</blockquote>
I get lots of output and no indication of any problems. Using dig
to see if the update indeed works -</p>
<p>
<blockquote type="cite"> # dig +short -t txt test.mydomain.com
"bar"<br>
"bar"<br>
</blockquote>
</p>
<p>it works, but if I restart the named service, no joy -</p>
<blockquote type="cite">
<p># systemctl restart named.service</p>
<p># dig +short -t txt test.mydomain.com "bar"</p>
<p>#<br>
</p>
<p><br>
</p>
</blockquote>
<br>
the update is not persistent! Any ideas? Thanks in advance for
helping me resolve these issues. Marc...<br>
<br>
<p><br>
<br>
</p>
<div class="moz-signature">-- <br>
<b>Computers: the final frontier. These are the voyages of the
user Marc.<br>
His mission: to explore strange new hardware. To seek out new
software and new applications.<br>
To boldly go where no Marc has gone before!<br>
</b>
</div>
</body>
</html>