<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 03/14/2019 12:02 AM, Mark Andrews
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:28C03C8F-6753-4321-99F1-76752908935D@isc.org">
<pre wrap="">"rndc showzone" only works if you also have "allow-new-zones yes;” set.</pre>
</blockquote>
Really??? Wow! Thanks Mark! I would never have guessed that, but yes
it does make rndc much happier!<br>
<blockquote type="cite"
cite="mid:28C03C8F-6753-4321-99F1-76752908935D@isc.org">
<pre wrap="">
The last time there was a complaint about UPDATE’s not sticking the
startup procedure was wiping out the changes.</pre>
</blockquote>
OH! That does not bod well, means I got to go and bellyache at the
OpenSuSE developers to see if something is going on with "systemctl
restart named.service" and hopefully this won't degenerate into a
finger pointing contest! ;-) I will go poke around and take a look
at the startup scripts....<br>
<blockquote type="cite"
cite="mid:28C03C8F-6753-4321-99F1-76752908935D@isc.org">
<pre wrap="">
Mark
</pre>
<blockquote type="cite">
<pre wrap="">On 14 Mar 2019, at 10:01 am, Marc Chamberlin via bind-users <a class="moz-txt-link-rfc2396E" href="mailto:bind-users@lists.isc.org"><bind-users@lists.isc.org></a> wrote:
Hello Bind Users,
I have been working on upgrading my Bind 9.11.2 server (running on a Linux system, OpenSuSE Leap 15) so that I can accept DNS challenges/verification from/for LetsEncrypt certificates, and I am running into a wall trying to get nsupdate (and rndc which I wanted to use to test the server with) to work with the server. So I hope some kind guru here can lead me into the light cuz I am lost....
My configuration is really not all that complicated, I am running the server on a firewall computer that supports other services such as web and email services also. I have a SOHO internal network behind the firewall computer. I have configured the Bind (named) server with the 3 standard views - localhost.resolver, internal, and external. Since I support a number of virtual hosts and real hosts I have quit a few zones defined for each view. For regular queries and things like zone transfers the server is performing OK.
That said I will show what I think are the relevant definitions from my configuration files, with sensitive info redacted of course, and follow on with questions I have -
named.conf -
There is a bunch of stuff at the beginning of this file, but I think it is irrelevant to this issue. Correct me if I am wrong and I will be happy to post it...
</pre>
<blockquote type="cite">
<pre wrap="">include "/etc/rndc.key";
controls {
inet * port 953
allow { any; } keys { "rndc-key"; };
};
view "localhost_resolver"
{
match-clients { localhost; };
match-destinations { localhost; };
</pre>
</blockquote>
<pre wrap="">... more stuff here but I don't think it is relevant
</pre>
<blockquote type="cite">
<pre wrap=""> include "/etc/named.d/local/local_zones.conf";
}
view "internal" {
match-clients { 192.168.10.0/24; };
match-destinations { 192.168.10.0/24; };
recursion yes;
</pre>
</blockquote>
<pre wrap="">... more stuff here but I don't think it is relevant
</pre>
<blockquote type="cite">
<pre wrap="">include "/etc/named.d/internal/internal_zones.conf";
};
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">view "external" {
match-clients { any; };
match-destinations { any; };
recursion no;
</pre>
</blockquote>
<pre wrap="">... more stuff here but I don't think it is relevant
</pre>
<blockquote type="cite">
<pre wrap=""> include "/etc/named.d/external/external_zones.conf";
};
</pre>
</blockquote>
<pre wrap="">
This seems pretty straightforward configuration in named.conf. The configuration of a zone in the external view typically looks like this -
zone "mydomain.com" in {
file "/etc/named.d/external/master/mydomain.com";
type master;
allow-transfer { "dnsmadeeasy1"; };
also-notify { xx.xxx.xx.xxx; yyy.yyy.yy.yyy; zzz.zzz.zz.zz; };
allow-query { any; };
allow-update {
key "letsencrypt";
};
};
And this is what is in rndc.conf -
</pre>
<blockquote type="cite">
<pre wrap="">key "rndc-key" {
algorithm hmac-md5;
secret "secretkeycodehere";
};
options {
default-key "rndc-key";
default-server localserver;
default-port 953;
};
server localserver {
addresses { 127.0.0.1 port 953; };
key "rndc-key";
};
server intserver {
addresses { 192.168.10.100 port 953; };
key "rndc-key";
};
server extserver {
addresses { xxx.yyy.zzz.aaa port 953; };
key "rndc-key";
};
</pre>
</blockquote>
<pre wrap="">
Again, straightforward, and as I said normal queries do work.... However when I use rndc to poke at it, this is what happens -
</pre>
<blockquote type="cite">
<pre wrap=""># rndc showzone mydomain.com in external
WARNING: key file (/etc/rndc.key) exists, but using default configuration file (/etc/rndc.conf)
rndc: 'showzone' failed: failure
</pre>
</blockquote>
<pre wrap="">
I don't understand why I am getting the warning, seems like a so what since the keys are identical in both locations. (I couldn't figure out if it is possible to use an include statement instead of the key definition in rndc.conf) As for the failure when I asked it to do a showzone, I don't have a clue as to why this is failing. Log files are not helpful (and neither is this error message for that matter!)
I am also experiencing problems with nsupdate in that changes I make with it are not persistent across a restart of the named service. To demonstrate this I have a file called test.txt -
debug yes
zone mydomain.com.
update add test.mydomain.com. 86400 TXT "bar"
show
send
and if I use it as follows this is what I see -
</pre>
<blockquote type="cite">
<pre wrap=""># nsupdate -k /etc/letsencrypt/james/Kletsencrypt.+165+56715.key -v ./test.txt
</pre>
</blockquote>
<pre wrap="">I get lots of output and no indication of any problems. Using dig to see if the update indeed works -
</pre>
<blockquote type="cite">
<pre wrap=""> # dig +short -t txt test.mydomain.com "bar"
"bar"
</pre>
</blockquote>
<pre wrap="">
it works, but if I restart the named service, no joy -
</pre>
<blockquote type="cite">
<pre wrap=""># systemctl restart named.service
# dig +short -t txt test.mydomain.com "bar"
#
</pre>
</blockquote>
<pre wrap="">
the update is not persistent! Any ideas? Thanks in advance for helping me resolve these issues. Marc...
--
Computers: the final frontier. These are the voyages of the user Marc.
His mission: to explore strange new hardware. To seek out new software and new applications.
To boldly go where no Marc has gone before!
_______________________________________________
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<p><br>
</p>
<div class="moz-signature">-- <br>
<b>Computers: the final frontier. These are the voyages of the
user Marc.<br>
His mission: to explore strange new hardware. To seek out new
software and new applications.<br>
To boldly go where no Marc has gone before!<br>
</b>
</div>
</body>
</html>