Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.protocols.dns.bind > #16032
| Path | csiph.com!weretis.net!feeder7.news.weretis.net!paganini.bofh.team!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail |
|---|---|
| From | Brett Delmage <Brett@BrettDelmage.ca> |
| Newsgroups | comp.protocols.dns.bind |
| Subject | Cannot get nsupdate to work (for letsencrypt acme.sh client) |
| Date | Tue, 4 Aug 2020 18:44:56 -0400 (EDT) |
| Lines | 104 |
| Approved | bind-users@lists.isc.org |
| Message-ID | <mailman.783.1596581066.942.bind-users@lists.isc.org> (permalink) |
| References | <alpine.DEB.2.21.2008041629380.11138@pannier.local> |
| Reply-To | Brett Delmage <Brett@twobikes.ottawa.on.ca> |
| NNTP-Posting-Host | lists.isc.org |
| Mime-Version | 1.0 |
| Content-Type | text/plain; format=flowed; charset=US-ASCII |
| X-Trace | usenet.stanford.edu 1596581108 4821 149.20.1.60 (4 Aug 2020 22:45:08 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| To | bind-users <bind-users@lists.isc.org> |
| Return-Path | <Brett@BrettDelmage.ca> |
| X-Original-To | bind-users@lists.isc.org |
| Delivered-To | bind-users@lists.isc.org |
| X-Spam-Status | No, score=0.0 required=5.0 tests=SPF_PASS, T_SPF_HELO_PERMERROR autolearn=disabled version=3.4.2 |
| X-Spam-Checker-Version | SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org |
| X-BeenThere | bind-users@lists.isc.org |
| X-Mailman-Version | 2.1.29 |
| Precedence | list |
| List-Id | BIND Users Mailing List <bind-users.lists.isc.org> |
| List-Unsubscribe | <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe> |
| List-Archive | <https://lists.isc.org/pipermail/bind-users/> |
| List-Post | <mailto:bind-users@lists.isc.org> |
| List-Help | <mailto:bind-users-request@lists.isc.org?subject=help> |
| List-Subscribe | <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe> |
| X-Mailman-Original-Message-ID | <alpine.DEB.2.21.2008041629380.11138@pannier.local> |
| Xref | csiph.com comp.protocols.dns.bind:16032 |
Show key headers only | View raw
I'm having a problem getting nsupdate to work, as shown below.
(Despite reading the man pages I'm not 100% clear about the exact scope of
the grant options and it may not be right. Examples would be helpful.)
I generated the key:
ddns-confgen -k acmesh-ottawatch. -z ottawatch.ca
# To activate this key, place the following in named.conf, and
# in a separate keyfile on the system or systems from which nsupdate
# will be run:
key "acmesh-ottawatch." {
algorithm hmac-sha256;
secret <deleted>;
};
- this is included in my named.conf
My config file zone entry has the statements
check-names warn;
update-policy { grant ottawatch-acmesh. name _acme-challenge.ottawatch.ca. txt; };
to permit the update and limit the scope.
As I understand, I need check-names (warn | ignore) because
_acme-challenge has an underscore. (How the heck did LE come up with an
incompatible name?)
Here's my nsupdate script:
# cat test-acme
server cacloud.ottawatch.ca
zone ottawatch.ca
debug
update add _acme-challenge.ottawatch.ca. 999 TXT "test 1"
send
# nsupdate -k acmesh-ottawatch.ca test-acme
Sending update to 2607:7b00:7200:1::281a:5de2#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 42504
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;ottawatch.ca. IN SOA
;; UPDATE SECTION:
_acme-challenge.ottawatch.ca. 999 IN TXT "test 1"
;; TSIG PSEUDOSECTION:
acmesh-ottawatch. 0 ANY TSIG hmac-sha256. 1596580550
300 32 966kN1nqxXRP+smNYmqpGKUIepEV0gkuOVz42ywCY0g= 42504 NOERROR 0
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 42504
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;ottawatch.ca. IN SOA
;; TSIG PSEUDOSECTION:
acmesh-ottawatch. 0 ANY TSIG hmac-sha256. 1596580550
300 32 eqUVlwgfwGnW0B7UX+WaB4mgqMgh9Aia/YauLRLa054= 42504 NOERROR 0
Sending update to 2607:7b00:7200:1::281a:5de2#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 32884
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;ottawatch.ca. IN SOA
;; TSIG PSEUDOSECTION:
acmesh-ottawatch. 0 ANY TSIG hmac-sha256. 1596580550
300 32 M+Lr8IckyEVknrX+jHoDQYFrlGxzyQ/PYHX9WwpNBZw= 32884 NOERROR 0
# dig _acme-challenge.ottawatch.ca. txt
- the TXT RR has not been added
; <<>> DiG 9.16.5-Ubuntu <<>> _acme-challenge.ottawatch.ca. txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45640
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: f735fda5ecb94793010000005f29e1bed617055d59cb5d75 (good)
;; QUESTION SECTION:
;_acme-challenge.ottawatch.ca. IN TXT
;; AUTHORITY SECTION:
ottawatch.ca. 900 IN SOA cacloud.ottawatch.ca.
hostmaster.ottawatch.ca. 2020072912 900 180 2419200 900
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Aug 04 18:31:26 EDT 2020
;; MSG SIZE rcvd: 140
What am I missing ort doing wrong, please?
Back to comp.protocols.dns.bind | Previous | Next | Find similar
Cannot get nsupdate to work (for letsencrypt acme.sh client) Brett Delmage <Brett@BrettDelmage.ca> - 2020-08-04 18:44 -0400
csiph-web