Path: csiph.com!newsfeed.xs4all.nl!newsfeed7.news.xs4all.nl!news.uzoreto.com!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail From: Mark Andrews Newsgroups: comp.protocols.dns.bind Subject: Re: Cannot get nsupdate to work (for letsencrypt acme.sh client) Date: Wed, 5 Aug 2020 10:33:26 +1000 Lines: 141 Approved: bind-users@lists.isc.org Message-ID: References: <26AFF3C2-B56B-48C7-9DEB-EA1341E02A48@isc.org> NNTP-Posting-Host: lists.isc.org Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.6\)) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Trace: usenet.stanford.edu 1596587613 9135 149.20.1.60 (5 Aug 2020 00:33:33 GMT) X-Complaints-To: action@cs.stanford.edu Cc: bind-users To: Brett Delmage Return-Path: X-Original-To: bind-users@lists.isc.org Delivered-To: bind-users@lists.isc.org In-Reply-To: X-Mailer: Apple Mail (2.3445.9.6) X-BeenThere: bind-users@lists.isc.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: BIND Users Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Mailman-Original-Message-ID: <26AFF3C2-B56B-48C7-9DEB-EA1341E02A48@isc.org> X-Mailman-Original-References: Xref: csiph.com comp.protocols.dns.bind:16033 Thanks for full details. Your key name usage is not consistent. acmesh-ottawatch !=3D = ottawatch-acmesh Why are you adding `check-names warn;`? check-names does NOT apply to = TXT records. Mark > On 5 Aug 2020, at 08:44, Brett Delmage wrote: >=20 > I'm having a problem getting nsupdate to work, as shown below. >=20 > (Despite reading the man pages I'm not 100% clear about the exact = scope of the grant options and it may not be right. Examples would be = helpful.) >=20 > I generated the key: >=20 > ddns-confgen -k acmesh-ottawatch. -z ottawatch.ca > # To activate this key, place the following in named.conf, and > # in a separate keyfile on the system or systems from which nsupdate > # will be run: > key "acmesh-ottawatch." { > algorithm hmac-sha256; > secret ; > }; >=20 > - this is included in my named.conf > My config file zone entry has the statements >=20 > check-names warn; > update-policy { grant ottawatch-acmesh. name = _acme-challenge.ottawatch.ca. txt; }; > to permit the update and limit the scope. >=20 > As I understand, I need check-names (warn | ignore) because = _acme-challenge has an underscore. (How the heck did LE come up with an = incompatible name?) >=20 >=20 > Here's my nsupdate script: > # cat test-acme >=20 > server cacloud.ottawatch.ca > zone ottawatch.ca > debug > update add _acme-challenge.ottawatch.ca. 999 TXT "test 1" > send >=20 >=20 > # nsupdate -k acmesh-ottawatch.ca test-acme >=20 > Sending update to 2607:7b00:7200:1::281a:5de2#53 > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 42504 > ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1 > ;; ZONE SECTION: > ;ottawatch.ca. IN SOA >=20 > ;; UPDATE SECTION: > _acme-challenge.ottawatch.ca. 999 IN TXT "test 1" >=20 > ;; TSIG PSEUDOSECTION: > acmesh-ottawatch. 0 ANY TSIG hmac-sha256. = 1596580550 300 32 966kN1nqxXRP+smNYmqpGKUIepEV0gkuOVz42ywCY0g=3D 42504 = NOERROR 0 >=20 >=20 > Reply from update query: > ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 42504 > ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 > ;; ZONE SECTION: > ;ottawatch.ca. IN SOA >=20 > ;; TSIG PSEUDOSECTION: > acmesh-ottawatch. 0 ANY TSIG hmac-sha256. = 1596580550 300 32 eqUVlwgfwGnW0B7UX+WaB4mgqMgh9Aia/YauLRLa054=3D 42504 = NOERROR 0 >=20 > Sending update to 2607:7b00:7200:1::281a:5de2#53 > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 32884 > ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 > ;; ZONE SECTION: > ;ottawatch.ca. IN SOA >=20 > ;; TSIG PSEUDOSECTION: > acmesh-ottawatch. 0 ANY TSIG hmac-sha256. = 1596580550 300 32 M+Lr8IckyEVknrX+jHoDQYFrlGxzyQ/PYHX9WwpNBZw=3D 32884 = NOERROR 0 >=20 >=20 >=20 > # dig _acme-challenge.ottawatch.ca. txt > - the TXT RR has not been added >=20 > ; <<>> DiG 9.16.5-Ubuntu <<>> _acme-challenge.ottawatch.ca. txt > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45640 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: = 1 >=20 > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: f735fda5ecb94793010000005f29e1bed617055d59cb5d75 (good) > ;; QUESTION SECTION: > ;_acme-challenge.ottawatch.ca. IN TXT >=20 > ;; AUTHORITY SECTION: > ottawatch.ca. 900 IN SOA cacloud.ottawatch.ca. = hostmaster.ottawatch.ca. 2020072912 900 180 2419200 900 >=20 > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Tue Aug 04 18:31:26 EDT 2020 > ;; MSG SIZE rcvd: 140 >=20 >=20 > What am I missing ort doing wrong, please? > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to = unsubscribe from this list >=20 > ISC funds the development of this software with paid support = subscriptions. Contact us at https://www.isc.org/contact/ for more = information. >=20 >=20 > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users --=20 Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org