[SOLVED] nsupdate not working (SERVFAIL)

funny_ha_ha · 08-06-2012, 08:19 AM

Hi,

I'm trying to update my DNS-Server dynamically using nsupdate.

Prerequisite

I'm on Debian 6.

I created a public/private key pair using:

Code:

dnssec-keygen -C -a HMAC-MD5 -b 512 -n USER sub.example.com.

I then edited my named.conf.local to contain my public key and the new zone i wish to update. It now looks like this (note: I also tried allow-update { any; }; without success):

Code:

zone "example.com" {
        type master;
        file "/etc/bind/primary/example.com";
        notify yes;                     // slave servers are notified when the zone is updated.
        allow-update { none; };         // deny updates from other hosts (default: none)
        allow-query { any; };           // allow clients to query this server (default: any)
};

zone "sub.example.com" {
        type master;
        file "/etc/bind/primary/sub.example.com";
        notify yes;
        allow-update { key "sub.example.com."; };
        allow-query { any; };
};

key sub.example.com. {
        algorithm HMAC-MD5;
        secret "xxxx xxxx";
};

Next, I copied the private key file ("key.private") to another server I want to update the zone from. I also created a textfile ("update") on this server which contained the update information (note: I tried toying around with this stuff too. no success):

Code:

server example.com
zone sub.example.com
update add sub.example.com. 86400 A 10.10.10.1
show
send

Now I'm trying to update the zone using:

Code:

nsupdate -k key.private -v update

The Problem

Said command gives me the following output:

Code:

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags: ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;sub.example.com.		IN	SOA

;; UPDATE SECTION:
sub.example.com.	86400	IN	A	10.10.10.1

update failed: SERVFAIL

named debug Level 3 gives me the following information when I issue the nsupdate command on the remote server (note: I obfuscated the client IP):

Code:

06-Aug-2012 14:51:33.977 client X.X.X.X#33182: new TCP connection
06-Aug-2012 14:51:33.977 client X.X.X.X#33182: replace
06-Aug-2012 14:51:33.978 clientmgr @0x2ada3c7ee760: createclients
06-Aug-2012 14:51:33.978 clientmgr @0x2ada3c7ee760: recycle
06-Aug-2012 14:51:33.978 client @0x2ada475f1120: accept
06-Aug-2012 14:51:33.978 client X.X.X.X#33182: read
06-Aug-2012 14:51:33.978 client X.X.X.X#33182: TCP request
06-Aug-2012 14:51:33.978 client X.X.X.X#33182: request has valid signature
06-Aug-2012 14:51:33.978 client X.X.X.X#33182: recursion not available
06-Aug-2012 14:51:33.978 client X.X.X.X#33182: update
06-Aug-2012 14:51:33.978 client X.X.X.X#33182: send
06-Aug-2012 14:51:33.978 client X.X.X.X#33182: sendto
06-Aug-2012 14:51:33.979 client X.X.X.X#33182: senddone
06-Aug-2012 14:51:33.979 client X.X.X.X#33182: next
06-Aug-2012 14:51:33.979 client X.X.X.X#33182: endrequest
06-Aug-2012 14:51:33.979 client X.X.X.X#33182: read
06-Aug-2012 14:51:33.986 client X.X.X.X#33182: next
06-Aug-2012 14:51:33.986 client X.X.X.X#33182: request failed: end of file
06-Aug-2012 14:51:33.986 client X.X.X.X#33182: endrequest
06-Aug-2012 14:51:33.986 client X.X.X.X#33182: closetcp

But it doesn't do anything. The zone isn't updated, nor does my nsupdate change anything. I'm not sure if the file "/etc/bind/primary/sub.example.com" should exist prior to the first update or not. I tried it without the file, with an empty file and with a pre-configured zone file. Without success.

The sparse information I found on the net pointed me towards file and folder permissions regarding the bind working directory, so I changed the permissions of both /etc/bind and /var/cache/bind (which is the home dir of my "bind" user).

I'm not a 100% sure if the permissions are correct.. but it looks good to me:

Code:

ls -lah /var/cache/bind/
total 224K
drwxrwxr-x  2 bind bind 4.0K Aug  6 03:13 .
drwxr-xr-x 12 root root 4.0K Jul 21 11:27 ..
-rw-r--r--  1 bind bind 211K Aug  6 03:21 named.run

ls -lah /etc/bind/
total 72K
drwxr-sr-x  3 bind bind 4.0K Aug  6 14:41 .
drwxr-xr-x 87 root root 4.0K Jul 30 01:24 ..
-rw-------  1 bind bind  125 Aug  6 02:54 key.public
-rw-------  1 bind bind  156 Aug  6 02:54 key.private
-rw-r--r--  1 bind bind 2.5K Aug  6 03:07 bind.keys
-rw-r--r--  1 bind bind  237 Aug  6 03:07 db.0
-rw-r--r--  1 bind bind  271 Aug  6 03:07 db.127
-rw-r--r--  1 bind bind  237 Aug  6 03:07 db.255
-rw-r--r--  1 bind bind  353 Aug  6 03:07 db.empty
-rw-r--r--  1 bind bind  270 Aug  6 03:07 db.local
-rw-r--r--  1 bind bind 3.0K Aug  6 03:07 db.root
-rw-r--r--  1 bind bind  493 Aug  6 03:32 named.conf
-rw-r--r--  1 bind bind  490 Aug  6 03:07 named.conf.default-zones
-rw-r--r--  1 bind bind 1.2K Aug  6 14:18 named.conf.local
-rw-r--r--  1 bind bind  666 Jul 29 22:51 named.conf.options
drwxr-sr-x  2 bind bind 4.0K Aug  6 03:57 primary/
-rw-r-----  1 root bind   77 Mar 19 02:57 rndc.key
-rw-r--r--  1 bind bind 1.3K Aug  6 03:07 zones.rfc1918

ls -lah /etc/bind/primary/
total 20K
drwxr-sr-x 2 bind bind 4.0K Aug  6 03:57 .
drwxr-sr-x 3 bind bind 4.0K Aug  6 14:41 ..
-rw-r--r-- 1 bind bind  356 Jul 30 00:45 example.com

bathory · 08-06-2012, 04:34 PM

Quote:

The sparse information I found on the net pointed me towards file and folder permissions regarding the bind working directory, so I changed the permissions of both /etc/bind and /var/cache/bind (which is the home dir of my "bind" user).

Note that the zone file must exist and should have the usual RRs (SOA, NS etc) prior running nsupdate. So create a zonefile for your domain, e.g.

Code:

$TTL 86400      ; 1 day
sub.example.com.       IN SOA  ns1.example.com. root.sub.example.com. (
                                  2012080701 ; serial
                                  28800      ; refresh (8 hours)
                                  7200       ; retry (2 hours)
                                  604800     ; expire (1 week)
                                  86400      ; minimum (1 day)
                                  )
                                  NS      ns1.example.com.
                                  NS      ns2.example.com.
sub. example.com.   A       1.2.3.4

Also note that at this point the zonefile permissions are not that important, because nsupdate creates a journal file (zonefile.jnl) that is used instead of the original zonefile.

Regards

funny_ha_ha · 08-06-2012, 06:08 PM

Thanks for the response!
Using your example file, I managed to get it to work. After I used the correct zone file, i stumbled uppon a permission error: The jnl file couldn't be created because of permissions. But the manpage helped me out:

Code:

named inherits the umask (file creation mode mask) from the parent process. If files created by named, such as journal files, need to have custom permissions, the umask should be set explicitly in the script used to start the named process.

It didn't work when running named from the console, but using the init-script it worked!

HirendraKoche · 02-27-2018, 01:18 AM

This may happen due to SELinux.

Check your SELinux setting. If it is in Enforcing status, you have to configure named_write_master_zones boolean on.

In Redhat 7

semanage boolean named_write_master_zones --modify --on

IN Redhat 6

setsebool -P named_write_master_zones on