Path: csiph.com!news.uzoreto.com!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail
From: Mark Andrews <marka@isc.org>
Newsgroups: comp.protocols.dns.bind
Subject: Re: nsupdate apparently not working for me. What am I overlooking / doing wrong?
Date: Wed, 29 Jul 2020 13:04:49 +1000
Lines: 185
Approved: bind-users@lists.isc.org
Message-ID: <mailman.773.1595991855.942.bind-users@lists.isc.org>
References: <alpine.DEB.2.21.2007282220460.32192@pannier.local> <D22E9F6E-14D6-47E2-A511-357DCE921524@isc.org>
NNTP-Posting-Host: lists.isc.org
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.6\))
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Trace: usenet.stanford.edu 1595991895 18514 149.20.1.60 (29 Jul 2020 03:04:55 GMT)
X-Complaints-To: action@cs.stanford.edu
Cc: bind-users <bind-users@lists.isc.org>
To: Brett Delmage <Brett@BrettDelmage.ca>
Return-Path: <marka@isc.org>
X-Original-To: bind-users@lists.isc.org
Delivered-To: bind-users@lists.isc.org
In-Reply-To: <alpine.DEB.2.21.2007282220460.32192@pannier.local>
X-Mailer: Apple Mail (2.3445.9.6)
X-BeenThere: bind-users@lists.isc.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BIND Users Mailing List <bind-users.lists.isc.org>
List-Unsubscribe: <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe>
List-Archive: <https://lists.isc.org/pipermail/bind-users/>
List-Post: <mailto:bind-users@lists.isc.org>
List-Help: <mailto:bind-users-request@lists.isc.org?subject=help>
List-Subscribe: <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe>
X-Mailman-Original-Message-ID: <D22E9F6E-14D6-47E2-A511-357DCE921524@isc.org>
X-Mailman-Original-References: <alpine.DEB.2.21.2007282220460.32192@pannier.local>
Xref: csiph.com comp.protocols.dns.bind:16027

Make sure you are using the CORRECT name in the dig query.  You used
ddns-key.ottawatch.ca instead of ddns-update.ottawatch.ca.

Also you can delete and add in the same UPDATE operation.  Remove the
first =E2=80=9Csend=E2=80=9D in nsupdate.script.

Also ottawatch.ca has DS records but the zone is not signed.  You need
to fix this as lookups are failing for anyone that is validating =
responses.

ottawatch.ca.		86400	IN	DS	63970 8 1 =
FE95768ADB2B2F9E87B3C6B4210D4C21766A2EC6
ottawatch.ca.		86400	IN	DS	63970 8 2 =
1139FAEF396A03435BD093ACA623306B3307D11163188D4D5143909D 3CEF76EC

Mark

> On 29 Jul 2020, at 12:30, Brett Delmage <Brett@BrettDelmage.ca> wrote:
>=20
> nsupdate works according to updated contents of a dynamic zonefile but =
dig does not report the added A record.
>=20
> What am I doing stupidly here?
>=20
> BIND version 1:9.16.5-1+ubuntu18.04.1
> - both authoritative and local recursive
>=20
> zone config:
> zone "ottawatch.ca"
>        {
>        type master;
>        file "/var/lib/bind/master/ottawatch.ca";
>        allow-transfer { key "pannier-xfer"; };
>        notify yes;
>        update-policy { grant ddns-key.ottawatch.ca subdomain =
ottawatch.ca.; };
>        };
>=20
> [do I have the correct update-policy syntax?]
> (I also tried "update-policy local" with nsupdate -l, with same =
results.)
>=20
>=20
> # nsupdate -D -k ddns-key.ottawatch.ca nsupdate.script
>=20
> nsupdate.script:
>=20
> server 127.0.0.1
> zone ottawatch.ca.
> update del ddns-update.ottawatch.ca. a
> send
> update add ddns-update.ottawatch.ca. 999 a 3.4.5.8
> send
>=20
> zone DB after update and "rndc sync" executed to incorporate .jnl:
>=20
> $ORIGIN .
> $TTL 900        ; 15 minutes
> ottawatch.ca            IN SOA  cacloud.ottawatch.ca. =
hostmaster.ottawatch.ca. (
>                                2020072808 ; serial
>                                900        ; refresh (15 minutes)
>                                180        ; retry (3 minutes)
>                                2419200    ; expire (4 weeks)
>                                900        ; minimum (15 minutes)
>                                )
>                        NS      cacloud.ottawatch.ca.
>                        NS      pannier.ottawatch.ca.
>                        A       206.248.172.47
>                        MX      10 mail1.ottawajazzscene.ca.
>                        TXT     "v=3Dspf1 a ip4:206.248.172.47 -all"
> $ORIGIN ottawatch.ca.
> cacloud                 A       23.111.69.176
>                        AAAA    2607:7b00:7200:1::281a:5de2
> $TTL 999        ; 16 minutes 39 seconds
> ddns-update             A       3.4.5.8 <--- nsupdate worked (it =
seems)
> $TTL 900        ; 15 minutes
> pannier                 A       206.248.172.47
>                        AAAA    2607:f2c0:a000:1d1::73:1
>=20
>=20
>=20
> # dig -4 @cacloud.ottawatch.ca cacloud.ottawatch.ca. a
>=20
> ; <<>> DiG 9.16.5-Ubuntu <<>> -4 @cacloud.ottawatch.ca =
cacloud.ottawatch.ca. a
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1862
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: =
1
>=20
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 195a1192604da78e010000005f20daf7193b36ec5545d879 (good)
> ;; QUESTION SECTION:
> ;cacloud.ottawatch.ca.          IN      A
>=20
> ;; ANSWER SECTION:
> cacloud.ottawatch.ca.   900     IN      A       23.111.69.176
>=20
> ;; Query time: 0 msec
> ;; SERVER: 23.111.69.176#53(23.111.69.176)
> ;; WHEN: Tue Jul 28 22:12:07 EDT 2020
> ;; MSG SIZE  rcvd: 93
>=20
> BUT dig does not report the nsupdate-added a record (NXDOMAIN):
>=20
> # dig -4 @cacloud.ottawatch.ca ddns-key.ottawatch.ca. a
>=20
> ; <<>> DiG 9.16.5-Ubuntu <<>> -4 @cacloud.ottawatch.ca =
ddns-key.ottawatch.ca. a
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49598
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: =
1
>=20
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 6db0ccbd0085ecca010000005f20db0f7cdb769b038236f9 (good)
> ;; QUESTION SECTION:
> ;ddns-key.ottawatch.ca.         IN      A
>=20
> ;; AUTHORITY SECTION:
> ottawatch.ca.           900     IN      SOA     cacloud.ottawatch.ca. =
hostmaster.ottawatch.ca. 2020072808 900 180 2419200 900
>=20
> ;; Query time: 0 msec
> ;; SERVER: 23.111.69.176#53(23.111.69.176)
> ;; WHEN: Tue Jul 28 22:12:31 EDT 2020
> ;; MSG SIZE  rcvd: 133
>=20
>=20
> A record added to the dynamic zone file manually works:
>=20
> dig -4 @cacloud.ottawatch.ca bb.ottawatch.ca. a
>=20
> ; <<>> DiG 9.16.5-Ubuntu <<>> -4 @cacloud.ottawatch.ca =
bb.ottawatch.ca. a
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8033
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: =
1
>=20
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 8feed7fd82821e9a010000005f20dc3de1670c37be1dadbc (good)
> ;; QUESTION SECTION:
> ;bb.ottawatch.ca.               IN      A
>=20
> ;; ANSWER SECTION:
> bb.ottawatch.ca.        900     IN      A       3.4.5.9
>=20
> ;; Query time: 0 msec
> ;; SERVER: 23.111.69.176#53(23.111.69.176)
> ;; WHEN: Tue Jul 28 22:17:33 EDT 2020
> ;; MSG SIZE  rcvd: 88
>=20
>=20
> END OF DETAILS
>=20
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to =
unsubscribe from this list
>=20
> ISC funds the development of this software with paid support =
subscriptions. Contact us at https://www.isc.org/contact/ for more =
information.
>=20
>=20
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

--=20
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org