External ddns server setup

karelvdm · 02-26-2007, 06:17 AM

Generating new keys didn't work.

Might be a typo somewhere.

karelvdm · 02-27-2007, 09:32 AM

Some background;

The previous errors was on the suse machine."(Still can't get it right; badkey)
I'm trying this on a SLES10 machine and FreeBSD6 machine.

When running the update file to update to the FreeBSD machine I get the following error;

Code:

tcshq# ./update-dns.sh
Creating key...
Sending update to 172.16.0.70#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  37330
;; flags: ; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; ZONE SECTION:
;ddns.mydomain.co.za.                        IN      SOA

;; UPDATE SECTION:
client.ddns.mydomain.co.za.   0       ANY     ANY
client.ddns.mydomain.co.za.   60      IN      A       47.263.150.132

;; TSIG PSEUDOSECTION:
client.ddns.mydomain.co.za.   0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1172590289 300 16 jyafw36U763hxa0AKkJnmw== 37330 NOERROR 0

; Communication with server failed: timed out

JimBass · 02-27-2007, 11:05 AM

Did you compile from source? If you did, the the bind directory there should be a subdirectory bin/checks and named-checkzone and named-checkconf. Checkconf will check the named.conf file and report errors, and checkzone will check the individual zonefile you point it at. That can help, or you could check the logs to see the problem.

If you installed from an rpm on the SLES system I don't know if they include those tools or not.

Peace,
JimBass

karelvdm · 02-28-2007, 03:47 AM

JimBass,

Thanx for all your patience with me.

I left the SLES box for now and I'm focussing on the FreeBSD box.

named-checkconf returns with no output:

Code:

thunder# /usr/sbin/named-checkconf                                              
thunder#

named-checkzone

Code:

thunder# /usr/sbin/named-checkzone ddns.mydomain.co.za /etc/namedb/dynamic/ddns.mydomain.co.za
zone ddns.mydomain.co.za/IN: has no NS records
thunder#

Could port53 be blocked on the FreeBSD box?
How can I check if it is, and if it is, how can I open it?

JimBass · 02-28-2007, 09:18 AM

I'm far from a BSD expert, but named-checkzone doesn't check and see if you get an answer for the zone, it simply checks the integrity of the zonefile itself. You must add nameservers to the zonefile, or it won't work. You could do something simple like:

Code:

7200    IN      NS      ns1.ddns.mydomain.co.za.
7200    IN      NS      ns2.ddns.mydomain.co.za.

Then below that identify those names with A records -

Code:

ns1.ddns.mydomain.co.za      IN       A        I.P.Add.Ress
ns2.ddns.mydomain.co.za      IN       A        I.P.Add.Ress

You can even use the same address for both ns1 and ns2, but you have to identify at least 2 nameservers for every zone.

You can use a program like nmap on linux to see what ports are open on the BSD box, and you should be able to compile that on BSD as well I would think. You could also try telnetting to localhost at port 53 on the BSD box to see if the port is open. Given BSD's security features it is entirely possible that port 53 is closed, but I don't know how to open it. It might be a simple firewall script, or it could be something else.

Peace,
JimBass

karelvdm · 03-07-2007, 04:34 AM

Hi Jimm,

I've found a solution to my problem I had with the timeout when updating.
The freebsd box was listening for port 53 on localhost only.

Code:

thunder# netstat -an -f inet
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0     52  172.16.0.70.22         172.16.0.16.50532      ESTABLISHED
tcp4       0      0  127.0.0.1.953          *.*                    LISTEN
tcp4       0      0  127.0.0.1.53           *.*                    LISTEN
tcp4       0      0  127.0.0.1.25           *.*                    LISTEN
tcp4       0      0  *.22                   *.*                    LISTEN
udp4     172      0  *.53                   *.*
udp4       0      0  127.0.0.1.53           *.*
udp4       0      0  *.514                  *.*
thunder#

But I got it right in the end.

Code:

thunder# netstat -an -f inet
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0     52  172.16.0.70.22         172.16.0.16.50532      ESTABLISHED
tcp4       0      0  127.0.0.1.953          *.*                    LISTEN
tcp4       0      0  172.16.0.70.53         *.*                    LISTEN
tcp4       0      0  127.0.0.1.25           *.*                    LISTEN
tcp4       0      0  *.22                   *.*                    LISTEN
udp4       0      0  *.53                   *.*
udp4       0      0  172.16.0.70.53         *.*
udp4       0      0  *.514                  *.*
thunder#

Now I'm back to square one....badkey.....what am I doing wrong?

Code:

client# ./update-dns.sh
Creating key...
Sending update to mydnsserver#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  19477
;; flags: ; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; ZONE SECTION:
;ddns.mydomain.co.za.                        IN      SOA

;; UPDATE SECTION:
client.ddns.mydomain.co.za.   0       ANY     ANY
client.ddns.mydomain.co.za.   60      IN      A       47.263.115.232

;; TSIG PSEUDOSECTION:
client.ddns.mydomain.co.za.   0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1172645392 300 16 6WY0bbDTzCUdcy9Aum9CTQ== 19477 NOERROR 0

; TSIG error with server: tsig indicates error

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id:  18462
;; flags: qr ra ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; TSIG PSEUDOSECTION:
client.ddns.mydomain.co.za.   0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1173170814 300 0  18462 BADKEY 0


client#

Let me know what info u need.
Thanx again!

JimBass · 03-07-2007, 09:18 AM

I don't have the exact problem, but the output seems likely to point to the problem -

Quote:

client# ./update-dns.sh
Creating key...

The script shouldn't be generating the key, it should just use the key that already exists. I suspect something inside of update-dns.sh needs to be changed. Since the key needs to match both on the client machine and the DNS server, generating a new key is sure to fail.

Peace,
JimBass

karelvdm · 03-07-2007, 09:19 AM

Hi

Log file on nameserver

Code:

Mar  7 17:17:51 thunder named[360]: client 172.16.0.245#58217: request has invalid signature: TSIG tcshq.ddns.cos.co.za: tsig verify failure (BADKEY)

Should I copy the contents of the ".key" file or ".private" to the nameserver's named.conf file?

karelvdm · 03-07-2007, 09:24 AM

Quote:

Originally Posted by JimBass

The script shouldn't be generating the key, it should just use the key that already exists. I suspect something inside of update-dns.sh needs to be changed.

This is the script file

Code:

#!/bin/sh

NAME="tcshq.ddns.cos.co.za"
TTL="60"
IP=`/sbin/ifconfig | /usr/bin/grep -A1 tun0 | /usr/bin/grep inet | /usr/bin/cut
-f 2 -d " "`

        /usr/bin/nsupdate -d -k /root/utils/Ktcshq.ddns.cos.co.za.+157+63975.key
 <<EOF

server 172.16.0.70
zone ddns.cos.co.za
update delete $NAME
update add $NAME 60 A $IP

EOF

JimBass · 03-07-2007, 09:26 AM

Yeah, that sounds like exactly what I described. It is using a bad key. Check out this page in the answers section that deals with linking dhcp and ddns together.

http://www.linuxquestions.org/linux/...em_DDNS_Server

Check the part about the key, you can simply put the key somewhere and call to it in the updater script.

Peace,
JimBass

JimBass · 03-07-2007, 09:44 AM

The script looks okay, but obviously it isn't working. What happens if you run not the script itself, but the contents of it line by line?

Peace,
JimBass

karelvdm · 03-14-2007, 05:46 AM

Hey Jimm

Sorry for the delay, but was a bit busy.
Got my keys sorted! Something small....changed the key entry in the named.conf from

Code:

key client.ddns.mydomain.co.za {
	algorithm "HMAC-MD5";
	secret "mysecret";
	};

to

Code:

key client.ddns.mydomain.co.za {
	algorithm hmac-md5;
	secret "mysecret";
	};

Now if I run the update file,

Code:

client# ./update-dns.sh
Creating key...
Sending update to 172.16.0.70#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  28250
;; flags: ; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; ZONE SECTION:
;ddns.mydomain.co.za.                        IN      SOA

;; UPDATE SECTION:
client.ddns.cos.co.za.   0       ANY     ANY
client.ddns.cos.co.za.   60      IN      A       47.269.242.123

;; TSIG PSEUDOSECTION:
client.ddns.cos.co.za.   0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1173867849 300 16 kkl+6JVsfCnKPqXXFqT+QQ== 28250 NOERROR 0


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  28250
;; flags: qr ra ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; TSIG PSEUDOSECTION:
client.ddns.cos.co.za.   0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1173867947 300 16 1oqfo+uMeYOiFGqUoN3jUg== 28250 NOERROR 0

client#

Doesn't seem to update the zone file.

JimBass · 03-14-2007, 09:48 AM

Yeah, case sensitivity can be a pain. Check the BIND logs. You'll probably see something about lack of permissions for the zone file. In any case, there should be some error logged to the logs. Syslog if nothing else, but any BIND logging should have it.

Peace,
JimBass

karelvdm · 03-15-2007, 05:36 AM

Hi Jimm

NO errors, No update in the zone file,
but the *.jnl gets created.

Code:

thunder# ls -al
total 12
drwxr-xr-x  2 bind  wheel  512 Mar 15 12:32 .
drwxr-xr-x  6 root  wheel  512 Mar 14 13:31 ..
-rw-r--r--  1 bind  wheel  346 Mar 15 12:29 ddns.mydomain.co.za
-rw-r--r--  1 bind  wheel  788 Mar 15 12:32 ddns.mydomain.co.za.jnl

Any ideas.

JimBass · 03-18-2007, 02:20 PM

Not without more info. Set BIND to log everything in named.conf, and check them. It can't just not work and not have a reason. Is rndc installed and functional?

I'm out of town at the moment, but please log and post here, or put up a link to the log files and I'll check them out when I can.

Peace,
JimBass