search

PowerDNS / pdns

PowerDNS Authoritative, PowerDNS Recursor, dnsdist
https://www.powerdns.com/
GNU General Public License v2.0
3.7k stars 909 forks source link

PDNS Authoritative: updating from 4.6.4 to 4.7.3 - broken RFC2136 / dynamic updates #12332

Open lovelord83 opened 1 year ago

lovelord83 commented 1 year ago

Hello there,

I've recently updated my PDNS Authoritative from 4.6.4 to 4.7.3 and I've noticed my dynamic DNS updates has broken.

Just to make a reproducible example:

  1. create a new zone (aka: 123.com)
  2. set meta-data for that zone allowing update for specific IP, key name, alghorithm
  3. send an nsupdate command

(you can follow offical documentation to do that: Official Docs)

when I try to update that zone through nsupdate from an allowed IP, using correct tsig-key name + password it throws an error:

META values for 123.com

root@ns1:~# pdnsutil get-meta 123.com Dec 15 10:31:36 [bindbackend] Parsing 0 domain(s), will report when done Dec 15 10:31:36 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0 removed Metadata for '123.com' ALLOW-DNSUPDATE-FROM = X.X.X.X/32 <-- My allowed IP to set dyndns update through RFC2136 SOA-EDIT-API = DEFAULT TSIG-ALLOW-DNSUPDATE = 123-test <-- KEY NAME

root@ns1:~# pdnsutil list-tsig-keys Dec 15 10:31:50 [bindbackend] Parsing 0 domain(s), will report when done Dec 15 10:31:50 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0 removed 123-test. hmac-md5. '1Q7VGkGcK6p46S0OVG2K5cm2DWUFQXEqP12pDjuLbJk=' <-- KEY PASSWORD

command sent:

nsupdate <<! server 53 zone 123.com update add test1.123.com 3600 TXT "this is a test" key hmac-md5:123-test 1Q7VGkGcK6p46S0OVG2K5cm2DWUFQXEqP12pDjuLbJk= send !

Result (dns side):

Dec 15 10:23:26 ns1 pdns_server[3782843]: Packet for '123.com' denied: Signature with TSIG key '123-test' failed to validate Dec 15 10:24:05 ns1 pdns_server[3782843]: Packet for '123.com' denied: Signature with TSIG key '123-test' failed to validate

Result (updater client side):

; TSIG error with server: expected a TSIG or SIG(0) update failed: REFUSED

Kind regards,

Andrea

zeha commented 1 year ago

Hi,

the bug report template is there for a reason. Given you have ignored it, please fill out these questions:

Environment

Plus, source/version of your nsupdate binary.

lovelord83 commented 1 year ago

Good morning @zeha ,

I just noticed that my tsig-keys have passwords between a single quote mark, this seems to be the cause of the problem. I don't know how is this possible, because I've generated them through pdnsutil, but replacing TSIG password after upgrade (deleting and adding again a new password) it seems to solve the problem.

Habbie commented 1 year ago

Please check whether pdnsutil really inserts those quotes. If not, we can close this ticket. Thanks!