Path: csiph.com!weretis.net!feeder7.news.weretis.net!paganini.bofh.team!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail
From: Brett Delmage <Brett@BrettDelmage.ca>
Newsgroups: comp.protocols.dns.bind
Subject: Cannot get nsupdate to work (for letsencrypt acme.sh client)
Date: Tue, 4 Aug 2020 18:44:56 -0400 (EDT)
Lines: 104
Approved: bind-users@lists.isc.org
Message-ID: <mailman.783.1596581066.942.bind-users@lists.isc.org>
References: <alpine.DEB.2.21.2008041629380.11138@pannier.local>
Reply-To: Brett Delmage <Brett@twobikes.ottawa.on.ca>
NNTP-Posting-Host: lists.isc.org
Mime-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
X-Trace: usenet.stanford.edu 1596581108 4821 149.20.1.60 (4 Aug 2020 22:45:08 GMT)
X-Complaints-To: action@cs.stanford.edu
To: bind-users <bind-users@lists.isc.org>
Return-Path: <Brett@BrettDelmage.ca>
X-Original-To: bind-users@lists.isc.org
Delivered-To: bind-users@lists.isc.org
X-Spam-Status: No, score=0.0 required=5.0 tests=SPF_PASS, T_SPF_HELO_PERMERROR autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org
X-BeenThere: bind-users@lists.isc.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BIND Users Mailing List <bind-users.lists.isc.org>
List-Unsubscribe: <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe>
List-Archive: <https://lists.isc.org/pipermail/bind-users/>
List-Post: <mailto:bind-users@lists.isc.org>
List-Help: <mailto:bind-users-request@lists.isc.org?subject=help>
List-Subscribe: <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe>
X-Mailman-Original-Message-ID: <alpine.DEB.2.21.2008041629380.11138@pannier.local>
Xref: csiph.com comp.protocols.dns.bind:16032

I'm having a problem getting nsupdate to work, as shown below.

(Despite reading the man pages I'm not 100% clear about the exact scope of 
the grant options and it may not be right. Examples would be helpful.)

I generated the key:

ddns-confgen -k acmesh-ottawatch. -z ottawatch.ca
# To activate this key, place the following in named.conf, and
# in a separate keyfile on the system or systems from which nsupdate
# will be run:
key "acmesh-ottawatch." {
         algorithm hmac-sha256;
         secret <deleted>;
};

- this is included in my named.conf
My config file zone entry has the statements

check-names warn;
update-policy {  grant ottawatch-acmesh. name _acme-challenge.ottawatch.ca. txt;  };
to permit the update and limit the scope.

As I understand, I need check-names (warn | ignore) because 
_acme-challenge has an underscore. (How the heck did LE come up with an 
incompatible name?)


Here's my nsupdate script:
# cat test-acme

server cacloud.ottawatch.ca
zone ottawatch.ca
debug
update add _acme-challenge.ottawatch.ca. 999 TXT "test 1"
send


# nsupdate -k acmesh-ottawatch.ca test-acme

Sending update to 2607:7b00:7200:1::281a:5de2#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  42504
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;ottawatch.ca.                  IN      SOA

;; UPDATE SECTION:
_acme-challenge.ottawatch.ca. 999 IN    TXT     "test 1"

;; TSIG PSEUDOSECTION:
acmesh-ottawatch.       0       ANY     TSIG    hmac-sha256. 1596580550 
300 32 966kN1nqxXRP+smNYmqpGKUIepEV0gkuOVz42ywCY0g= 42504 NOERROR 0


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:  42504
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;ottawatch.ca.                  IN      SOA

;; TSIG PSEUDOSECTION:
acmesh-ottawatch.       0       ANY     TSIG    hmac-sha256. 1596580550 
300 32 eqUVlwgfwGnW0B7UX+WaB4mgqMgh9Aia/YauLRLa054= 42504 NOERROR 0

Sending update to 2607:7b00:7200:1::281a:5de2#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  32884
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;ottawatch.ca.                  IN      SOA

;; TSIG PSEUDOSECTION:
acmesh-ottawatch.       0       ANY     TSIG    hmac-sha256. 1596580550 
300 32 M+Lr8IckyEVknrX+jHoDQYFrlGxzyQ/PYHX9WwpNBZw= 32884 NOERROR 0



# dig _acme-challenge.ottawatch.ca. txt
- the TXT RR has not been added

; <<>> DiG 9.16.5-Ubuntu <<>> _acme-challenge.ottawatch.ca. txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45640
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: f735fda5ecb94793010000005f29e1bed617055d59cb5d75 (good)
;; QUESTION SECTION:
;_acme-challenge.ottawatch.ca.  IN      TXT

;; AUTHORITY SECTION:
ottawatch.ca.           900     IN      SOA     cacloud.ottawatch.ca. 
hostmaster.ottawatch.ca. 2020072912 900 180 2419200 900

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Aug 04 18:31:26 EDT 2020
;; MSG SIZE  rcvd: 140


What am I missing ort doing wrong, please?