nsupdate fails with tsig error.

Anthony Ercolano tony-keyword-dhcp.537659 at ercolano.com
Sun Dec 2 01:10:16 UTC 2007


Life becomes much more clear.

If I run nsupdate on a machine with a network address of 10.0.0.37 and  
it sends the update commands to the bind server with a network address  
209.181.88.209 the update fails.

If I take the same machine and give it a network address of  
209.181.88.213 and run the same series of commands with nsupdate the  
update succeeds.

Clearly I don't understand the ramifications of sending the update  
through NAT to the server.

Any thoughts?

On Dec 1, 2007, at 8:43 AM, Glenn Satchell wrote:

>
>> To: dhcp-users at isc.org
>> Subject: Re: nsupdate fails with tsig error.
>> Date: Fri, 30 Nov 2007 10:00:49 -0800
>>
>> I have made several changes to make the dhcpd.conf and the named.conf
>> match more closely what is is the man page.  Results are exactly the
>> same.
>>
>> Question:
>>
>> In order to reduce possible configuration file "noise", on the  
>> machine
>> that has the dhcp server I am testing out doing the dns update using
>> the nsupdate program that  comes with bind.
>>
>> So - Does the nsupdate program use ANY information from the  
>> dhcpd.conf
>> (or any other settings external to what is given in the sequence of
>> comands) at all?
>
> No. nsupdateis part of the bind package, it has absolutely no  
> dependancies on
> dhcp or indeed any knowledge of the dhcp package of programmes.
>
>> Trying to do the update via nsupdate on the dhcp server machine, it
>> fails with BADSIG
>>
>> Again, here is where I am puzzled:  Using the EXACT same sequence of
>> command to nsupdate on the bind server, the update works.
>>
>> I really wouldn't have thought it mattered at all where the nsupdate
>> came from.
>>
>> This leads me to think that there MUST be something in by named.conf
>> file that is letting "local" updates occur but is preventing non-
>> local.  However, I just don't see what that might be.
>
> Yes. That is a good assumption.
>
>> Is there any default cryptographic information that is assumed on the
>> bind server side that is not available to non-local clients?
>
> I don't think so.
>
> In named.conf you don't use quotes around the value of the secret, ie
> it should be:
>
> key ns1-dhcpsrc.ercolano.net. {
> 	algorithm hmac-md5;
> 	secret supersecretsecret==;
> };
>
> And in dhcpd.conf you also don't need quotes around the value of the  
> secret.
>
> key ns1-dhcpsrc.ercolano.net. {
> 	algorithm hmac-md5;
> 	secret supersecretsecret==;
> };
>
> This is the only thing I can see in the included named.conf and
> dhcpd.conf files below that is not right. If this doesn't work, then
> there must be something else not right, but if there is I can't see
> it.
>
> The BIND ARM (available on the web) says about TSIG errors:
>
> 	If a TSIG aware server receives a message with a signature that
> 	does not validate, the response will be unsigned with the TSIG
> 	extended error code set to BADSIG.
>
> So, this says to me the key is invalid. If you use quotes in the conf
> files, then they will become part of the key and could cause it to be
> invalid as they are not valid base 64 characters.
>
> You did restart (not just kill -HUP) both dhcpd and named after
> changing the conf files? (clutching at straws here ... )
> 	
> regards,
> -glenn
>
>> On Nov 29, 2007, at 5:01 AM, Glenn Satchell wrote:
>>
>>> Hi Anthony
>>>
>>> Please have a look at the dhcpd.conf man page, in particular the
>>> section titled DNS UPDATE SECURITY. It has sample configurations for
>>> named.conf and dhcpd.conf. It also includes the statements to set up
>>> logging of dynamic DNS updates on the bind server.
>>>
>>> One thing to be careful with is the use of quotes. They vary between
>>> bind and dhcp for similar statements, eg zone and key.
>>>
>>> If you follow those examples closely it will work...
>>>
>>> regards,
>>> -glenn
>>>
>>>> From: Anthony Ercolano <anthony.ercolano at gmail.com>
>>>> To: dhcp-users at isc.org
>>>> Subject: nsupdate fails with tsig error.
>>>> Date: Wed, 28 Nov 2007 17:58:15 -0800
>>>>
>>>> Here is a copy of my dhcpd.conf (secrets obscured).
>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>> option domain-name "ercolano.com";
>>>> option domain-name-servers 209.181.88.209,209.181.88.210;
>>>>
>>>> default-lease-time 2592000;
>>>>
>>>> ddns-update-style interim;
>>>> ddns-updates on;
>>>> ddns-domainname "ercolano.com";
>>>> ddns-rev-domainname "10.in-addr.arpa";
>>>> ignore client-updates;
>>>> authoritative;
>>>>
>>>> key ns1-dhcpsrc.ercolano.net. {
>>>>       algorithm hmac-md5;
>>>>       secret "supersecretsecret==";
>>>> };
>>>>
>>>> zone 10.in-addr.arpa {
>>>>       primary 209.181.88.209;
>>>>       key ns1-dhcpsrc.ercolano.net.;
>>>> }
>>>>
>>>> zone ercolano.com {
>>>>       primary 209.181.88.209;
>>>>       key ns1-dhcpsrc.ercolano.net.;
>>>> }
>>>>
>>>>
>>>> subnet 10.0.0.0 netmask 255.255.255.0 {
>>>>   range 10.0.0.150 10.0.0.200;
>>>>   option routers 10.0.0.1;
>>>>   ddns-hostname =
>>>>       pick ( option host-name,
>>>> 	       concat("dhcp-",binary-to-ascii (10,8,"-",leased-address)));
>>>>
>>>>   host soekris1 {
>>>>       option host-name "soekris1";
>>>>       hardware ethernet 00:00:24:C4:7B:74 ;
>>>>       fixed-address 10.0.0.61;
>>>>       option root-path "/tftpboot";
>>>>       filename "/pxeboot";
>>>>   }
>>>>   host soekris2 {
>>>>       option host-name "soekris2";
>>>>       hardware ethernet 00:00:24:C1:36:00 ;
>>>>       fixed-address 10.0.0.62;
>>>>       option root-path "/tftpboot";
>>>>       filename "/pxeboot";
>>>>   }
>>>> }
>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>
>>>> This dhcp server lives on an internal network address of 10.0.0.xx
>>>>
>>>> Here is the named.conf file on 209.181.88.209
>>>>
>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>> acl "frendsnameserver" { 192.0.0.0/24; };
>>>> acl trusted
>>>>
> {209.181.88.209;209.181.88.210;209.181.88.211;209.181.88.212;209.181.88.213;209
>>> .181.88.214
>>>> ;localhost;localnets;};
>>>>
>>>> key ns1-ns2.ercolano.net. {
>>>>       algorithm hmac-md5;
>>>> 	secret "another super secret==";
>>>> };
>>>>
>>>> key ns1-dhcpsrc.ercolano.net. {
>>>>       algorithm hmac-md5;
>>>> 	secret "supersecretsecret==";
>>>> };
>>>>
>>>> server 209.181.88.210 {
>>>>       keys { ns1-ns2.ercolano.net.; };
>>>> };
>>>>
>>>> server 209.181.88.214 {
>>>>       keys { ns1-dhcpsc.ercolano.net.; };
>>>> };
>>>>
>>>> options {
>>>> 	directory "/var/bind";
>>>>
>>>> 	// uncomment the following lines to turn on DNS forwarding,
>>>> 	// and change the forwarding ip address(es) :
>>>> 	//forward first;
>>>> 	//forwarders {
>>>> 	//	123.123.123.123;
>>>> 	//	123.123.123.123;
>>>> 	//};
>>>>
>>>> 	// listen-on-v6 { none; };
>>>>       // listen-on { 127.0.0.1; };
>>>>
>>>> 	// to allow only specific hosts to use the DNS server:
>>>> 	//allow-query {
>>>> 	//	127.0.0.1;
>>>> 	//};
>>>>
>>>> 	allow-transfer { none; };
>>>>       allow-query { any; };
>>>> 	allow-recursion { trusted; };
>>>> 	allow-query-cache { trusted; };
>>>> 	allow-update { none; };
>>>>
>>>> 	notify-source * port 53;
>>>>
>>>> 	// if you have problems and are behind a firewall:
>>>> 	query-source address * port 53;
>>>> 	pid-file "/var/run/named/named.pid";
>>>>
>>>> 	version "No";
>>>>
>>>> };
>>>>
>>>>
>>>> zone "." IN {
>>>> 	type hint;
>>>> 	file "named.ca";
>>>> };
>>>>
>>>> zone "localhost" IN {
>>>> 	type master;
>>>> 	file "pri/localhost.zone";
>>>> 	notify no;
>>>> };
>>>>
>>>> zone "127.in-addr.arpa" IN {
>>>> 	type master;
>>>> 	file "pri/127.zone";
>>>> 	notify no;
>>>> };
>>>>
>>>> zone "10.IN-ADDR.ARPA" {
>>>> 	type master;
>>>> 	file "pri/10.zone";
>>>> 	allow-update { key ns1-dhcpsrc.ercolano.net.; };
>>>> 	allow-transfer { key ns1-ns2.ercolano.net.; key ns1-
>>>> dhcpsrc.ercolano.net.; };
>>>> };
>>>>
>>>> zone "ercolano.net" IN {
>>>> 	type master;
>>>> 	file "pri/ercolano.net.zone";
>>>> 	allow-transfer { friendsnameserver; key ns1-ns2.ercolano.net.; key
>>>> ns1-dhcpsrc.ercolano.net.; };
>>>> };
>>>> zone "ercolano.org" IN {
>>>> 	type master;
>>>> 	file "pri/ercolano.org.zone";
>>>> 	allow-transfer { friendsnameserver; key ns1-ns2.ercolano.net.; key
>>>> ns1-dhcpsrc.ercolano.net.; };
>>>> };
>>>>
>>>> zone "ercolano.com" IN {
>>>> 	type master;
>>>> 	file "pri/ercolano.com.zone";
>>>> 	allow-update { key ns1-dhcpsrc.ercolano.net.; };
>>>> 	allow-transfer { friendsnameserver; key ns1-ns2.ercolano.net.; key
>>>> ns1-dhcpsrc.ercolano.net.; };
>>>> };
>>>>
>>>> zone "208-214.88.181.209.in-addr.arpa" IN {
>>>> 	type master;
>>>> 	file "pri/208-214.88.181.209.zone";
>>>> 	allow-transfer { friendsnameserver; key ns1-ns2.ercolano.net.; key
>>>> ns1-dhcpsrc.ercolano.net.; };
>>>> };
>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>
>>>> If I execute the following nsupdate -d on the dhcp server machine I
>>>> get:
>>>>
>>>> dhcpsrc dhcp # nsupdate -d
>>>>> server 209.181.88.209
>>>>> zone ercolano.com
>>>>> key ns1-dhcpsrc.ercolano.net. supersecretsecret==
>>>>> update add bogu.ercolano.com 300 A 10.0.0.57
>>>>> send
>>>> Sending update to 209.181.88.209#53
>>>> Outgoing update query:
>>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  40437
>>>> ;; flags: ; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
>>>> ;; ZONE SECTION:
>>>> ;ercolano.com.			IN	SOA
>>>>
>>>> ;; UPDATE SECTION:
>>>> bogu.ercolano.com.	300	IN	A	10.0.0.57
>>>>
>>>> ;; TSIG PSEUDOSECTION:
>>>> ns1-dhcpsrc.ercolano.net. 0	ANY	TSIG	hmac-md5.sig-alg.reg.int.
>>>> 1196299697 300 16 hmmmmmmm== 40437 NOERROR 0
>>>>
>>>> ; TSIG error with server: tsig indicates error
>>>>
>>>> Reply from update query:
>>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id:  40437
>>>> ;; flags: qr ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
>>>> ;; TSIG PSEUDOSECTION:
>>>> ns1-dhcpsrc.ercolano.net. 0	ANY	TSIG	hmac-md5.sig-alg.reg.int.
>>>> 1196299697 300 0  40437 BADSIG 0
>>>>
>>>> The error message on the bind server contains:
>>>>
>>>> Nov 28 17:43:56 mail named[24825]: client 209.181.88.214#22283:
>>>> request has invalid signature: TSIG ns1-dhcpsrc.ercolano.net: tsig
>>>> verify failure (BADSIG)
>>>>
>>>> Any thoughts on why this doesn't work?
>>>>
>>>> Any thoughts on what sort of logging would be especially helpful on
>>>> the bind server for finding the problem?
>>>>
>>>> Could there be issues with the fact that the dhcp request is
>>>> initiating server with nat'ed address 10.0.0.37 going through a  
>>>> cisco
>>>> dsl router and coming into the bind server, which is at
>>>> 209.181.88.209
>>>> with the request appearing as though NOW initiated on address
>>>> 209.181.88.214?
>>>>
>>>> Thanks!
>>>>
>>>
>>
>


More information about the dhcp-users mailing list