Path: csiph.com!newsfeed.xs4all.nl!newsfeed9.news.xs4all.nl!82.197.223.106.MISMATCH!feeder1.cambriumusenet.nl!feed.tweak.nl!news.uzoreto.com!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail From: Mark Andrews Newsgroups: comp.protocols.dns.bind Subject: Re: Cannot get nsupdate to work (for letsencrypt acme.sh client) Date: Wed, 5 Aug 2020 13:48:42 +1000 Lines: 262 Approved: bind-users@lists.isc.org Message-ID: References: <26AFF3C2-B56B-48C7-9DEB-EA1341E02A48@isc.org> NNTP-Posting-Host: lists.isc.org Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.6\)) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Trace: usenet.stanford.edu 1596599328 17401 149.20.1.60 (5 Aug 2020 03:48:48 GMT) X-Complaints-To: action@cs.stanford.edu Cc: bind-users To: Brett Delmage Return-Path: X-Original-To: bind-users@lists.isc.org Delivered-To: bind-users@lists.isc.org In-Reply-To: X-Mailer: Apple Mail (2.3445.9.6) X-BeenThere: bind-users@lists.isc.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: BIND Users Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Mailman-Original-Message-ID: X-Mailman-Original-References: <26AFF3C2-B56B-48C7-9DEB-EA1341E02A48@isc.org> Xref: csiph.com comp.protocols.dns.bind:16035 > On 5 Aug 2020, at 13:12, Brett Delmage wrote: >=20 > On Wed, 5 Aug 2020, Mark Andrews wrote: >=20 >> Your key name usage is not consistent. acmesh-ottawatch !=3D = ottawatch-acmesh >=20 > Thank you! Fixed and working. >=20 >> Why are you adding `check-names warn;`? check-names does NOT apply = to TXT >> records. >=20 > Previously I was getting the error "bad owner name (check-names)". >=20 > So a search for that error led me to this page > = https://linux.m2osw.com/setting-bind-get-letsencrypt-wildcards-work-your-s= ystem-using-rfc-2136 >=20 > which states >=20 > "The check-names option is required in case the name letsencrypt adds = _acme-challenge to your list of known sub-domains. The underscore = character is not liked by BIND9. This is because it is not part of the = domain name specification. It is not allowed at all. By default BIND = will generate an error and log it and skip over that entry entirely = (i.e. it will not serve that zone at all, albeit all the other zones = will work just fine.) >=20 > You can also set this parameter to ignore. In that case, no warning is = emitted in your logs. >=20 > Here is the error you get ("bad owner name") when a name uses = characters that are not supposed to be used in a domain name: >=20 > 09-Feb-2019 03:02:31.988 general: error: > /var/lib/bind/restarchitect.com.zone:31: > _acme-challenge.restarchitect.com: > bad owner name (check-names) Check-names applies to elements of records that are supposed to be = HOSTNAMES or MAIL DOMAINS (both have the same syntax requirements). In = some cases it is the owner name and others it is elements of the rdata = fields. For PTR it only applies to records that end in in-addr.arpa and = ip6.arpa as they are supposed to point to HOSTNAMES. HOSTNAMES and MAIL = DOMAINS are restricted to labels composed of letters, digits and hyphens = (LDH). The full list of records that check-names currently applies to are: A, = AAAA, MX, ASFDB, MINFO, NS, PTR, RP, RT, SOA, A6 and SRV. If I use the example zone on that page *no* errors are reported. % named-checkzone restarchitect.com restarchitect.com zone restarchitect.com/IN: loaded serial 1309082308 OK % cat restarchitect.com restarchitect.com. 86400 IN SOA ns1.m2osw.com. = hostmaster.m2osw.com. 1309082308 10800 180 1209600 300 restarchitect.com. 86400 IN NS ns1.m2osw.com. restarchitect.com. 86400 IN NS ns2.m2osw.com. restarchitect.com. 86400 IN A 10.0.0.1 _acme-challenge.restarchitect.com. 86400 IN TXT "test" w.restarchitect.com. 86400 IN A 10.0.0.1 ww.restarchitect.com. 86400 IN A 10.0.0.1 www.restarchitect.com. 86400 IN A 10.0.0.1 wwww.restarchitect.com. 86400 IN A 10.0.0.1 %=20 If I modify restarchitect.com to have a A record at = _acme-challenge.restarchitect.com then errors will be reported. On line 6 of restarchitect.com the owner name = _acme-challenge.restarchitect.com is bad. % named-checkzone restarchitect.com restarchitect.com restarchitect.com:6: _acme-challenge.restarchitect.com: bad owner name = (check-names) zone restarchitect.com/IN: loaded serial 1309082308 OK % cat restarchitect.com restarchitect.com. 86400 IN SOA ns1.m2osw.com. = hostmaster.m2osw.com. 1309082308 10800 180 1209600 300 restarchitect.com. 86400 IN NS ns1.m2osw.com. restarchitect.com. 86400 IN NS ns2.m2osw.com. restarchitect.com. 86400 IN A 10.0.0.1 _acme-challenge.restarchitect.com. 86400 IN TXT "test" _acme-challenge.restarchitect.com. 86400 IN A 10.0.0.1 w.restarchitect.com. 86400 IN A 10.0.0.1 ww.restarchitect.com. 86400 IN A 10.0.0.1 www.restarchitect.com. 86400 IN A 10.0.0.1 wwww.restarchitect.com. 86400 IN A 10.0.0.1 % Mark > The check-names option is currently the only way to fix this problem = (i.e. you can't use an escape for that one specific letter.)" >=20 > ----------------------------------- >=20 > Is this incorrect? My same error went away when I added it. I = certainly was not familar with the option earlier. >=20 > I am running BIND 9.16.5 from Ond=C5=99ej's PPA for Ubuntu 18.04 >=20 > That page's "Create and Setup an HMAC Key" uses dnssec-keygen to = create the dynamic key, which I understand has been deprecated in newer = versions. Is that correct? (as I mentioned, I used ddns-confgen.) >=20 >=20 >> Thanks for full details. >=20 > Thank you for looking at them! >=20 > Often, preparing a complete help request helps me see something I am = overlooking that is incorrect, so then I don't need to send a help plea = and look like an idiot. Just not in this report, although an earlier = version led me to seeing another problem, which was good. >=20 > Brett >=20 >>=20 >>=20 >>=20 >> Mark >>=20 >>> On 5 Aug 2020, at 08:44, Brett Delmage = wrote: >>>=20 >>> I'm having a problem getting nsupdate to work, as shown below. >>>=20 >>> (Despite reading the man pages I'm not 100% clear about the exact = scope of the grant options and it may not be right. Examples would be = helpful.) >>>=20 >>> I generated the key: >>>=20 >>> ddns-confgen -k acmesh-ottawatch. -z ottawatch.ca >>> # To activate this key, place the following in named.conf, and >>> # in a separate keyfile on the system or systems from which nsupdate >>> # will be run: >>> key "acmesh-ottawatch." { >>> algorithm hmac-sha256; >>> secret ; >>> }; >>>=20 >>> - this is included in my named.conf >>> My config file zone entry has the statements >>>=20 >>> check-names warn; >>> update-policy { grant ottawatch-acmesh. name = _acme-challenge.ottawatch.ca. txt; }; >>> to permit the update and limit the scope. >>>=20 >>> As I understand, I need check-names (warn | ignore) because = _acme-challenge has an underscore. (How the heck did LE come up with an = incompatible name?) >>>=20 >>>=20 >>> Here's my nsupdate script: >>> # cat test-acme >>>=20 >>> server cacloud.ottawatch.ca >>> zone ottawatch.ca >>> debug >>> update add _acme-challenge.ottawatch.ca. 999 TXT "test 1" >>> send >>>=20 >>>=20 >>> # nsupdate -k acmesh-ottawatch.ca test-acme >>>=20 >>> Sending update to 2607:7b00:7200:1::281a:5de2#53 >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 42504 >>> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1 >>> ;; ZONE SECTION: >>> ;ottawatch.ca. IN SOA >>>=20 >>> ;; UPDATE SECTION: >>> _acme-challenge.ottawatch.ca. 999 IN TXT "test 1" >>>=20 >>> ;; TSIG PSEUDOSECTION: >>> acmesh-ottawatch. 0 ANY TSIG hmac-sha256. = 1596580550 300 32 966kN1nqxXRP+smNYmqpGKUIepEV0gkuOVz42ywCY0g=3D 42504 = NOERROR 0 >>>=20 >>>=20 >>> Reply from update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 42504 >>> ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 >>> ;; ZONE SECTION: >>> ;ottawatch.ca. IN SOA >>>=20 >>> ;; TSIG PSEUDOSECTION: >>> acmesh-ottawatch. 0 ANY TSIG hmac-sha256. = 1596580550 300 32 eqUVlwgfwGnW0B7UX+WaB4mgqMgh9Aia/YauLRLa054=3D 42504 = NOERROR 0 >>>=20 >>> Sending update to 2607:7b00:7200:1::281a:5de2#53 >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 32884 >>> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 >>> ;; ZONE SECTION: >>> ;ottawatch.ca. IN SOA >>>=20 >>> ;; TSIG PSEUDOSECTION: >>> acmesh-ottawatch. 0 ANY TSIG hmac-sha256. = 1596580550 300 32 M+Lr8IckyEVknrX+jHoDQYFrlGxzyQ/PYHX9WwpNBZw=3D 32884 = NOERROR 0 >>>=20 >>>=20 >>>=20 >>> # dig _acme-challenge.ottawatch.ca. txt >>> - the TXT RR has not been added >>>=20 >>> ; <<>> DiG 9.16.5-Ubuntu <<>> _acme-challenge.ottawatch.ca. txt >>> ;; global options: +cmd >>> ;; Got answer: >>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45640 >>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, = ADDITIONAL: 1 >>>=20 >>> ;; OPT PSEUDOSECTION: >>> ; EDNS: version: 0, flags:; udp: 4096 >>> ; COOKIE: f735fda5ecb94793010000005f29e1bed617055d59cb5d75 (good) >>> ;; QUESTION SECTION: >>> ;_acme-challenge.ottawatch.ca. IN TXT >>>=20 >>> ;; AUTHORITY SECTION: >>> ottawatch.ca. 900 IN SOA = cacloud.ottawatch.ca. hostmaster.ottawatch.ca. 2020072912 900 180 = 2419200 900 >>>=20 >>> ;; Query time: 0 msec >>> ;; SERVER: 127.0.0.1#53(127.0.0.1) >>> ;; WHEN: Tue Aug 04 18:31:26 EDT 2020 >>> ;; MSG SIZE rcvd: 140 >>>=20 >>>=20 >>> What am I missing ort doing wrong, please? >>> _______________________________________________ >>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to = unsubscribe from this list >>>=20 >>> ISC funds the development of this software with paid support = subscriptions. Contact us at https://www.isc.org/contact/ for more = information. >>>=20 >>>=20 >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users >>=20 --=20 Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org