Support #11575
closed
smart-proxy can't update ns in bind
Description
Hello,
i configured Bind to communicate with the foreman-proxy via the web ui when provisioning a new host.
It fails at creating a reverse DNS-Entry in bind. (Error 400 bad request).
Here's my named.conf:
@options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
};
controls { inet 127.0.0.1 allow { localhost; } keys { foreman; }; };
include "/etc/rndc.key";
include "/etc/foreman.key";
zone "10.168.192.in-addr.arpa" {
type master;
file "/var/named/10.168.192.rev";
update-policy {
grant foreman zonesub ANY;
};
# allow-update {key "foreman"; };
};
zone "example.local" {
type master;
file "/var/named/example.local.hosts";
update-policy {
grant foreman zonesub ANY;
};
# allow-update {key "foreman"; };
};
logging
{
category update { update_log; };
channel update_log
{
file "/var/named/logs/dns-update.log" versions 2 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
};
zone "." {
type forward;
forwarders {
10.140.79.240;
};
};
@
Error-Log of Foreman-proxy:
@E, [2015-08-26T15:13:14.403595 #24454] ERROR -- : Update errors: Answer: ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 40880 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;10.168.192.in-addr.arpa. IN SOA ;; TSIG PSEUDOSECTION: rndc-key. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1440594794 300 16 ddtIA5xr2Tte8HjEHHoRrQ== 40880 NOERROR 0 192.168.10.90 - - [26/Aug/2015 15:13:14] "POST /dns/ HTTP/1.1" 400 336 0.0939 @
Do someone of you have any idea how to fix this foreman-proxy-dns-error?
Release 1.8.3
Updated by
Updated by Lukas Müller over 8 years ago
The "1." and "2." can be ignored. It was written when marked it as code.
Updated by Anonymous over 8 years ago
Could you enable debug logging (in settings.yml) and post the output please?
Updated by Lukas Müller over 8 years ago
Here is the output
@D, [2015-08-26T15:36:01.767127 #28814] DEBUG -- : verifying remote client 192.168.10.90 against trusted_hosts ["voss-centos1.bafg.de"] D, [2015-08-26T15:36:01.769675 #28814] DEBUG -- : running /usr/bin/nsupdate -k /etc/rndc.key D, [2015-08-26T15:36:01.781230 #28814] DEBUG -- : nsupdate: executed - server 127.0.0.1 D, [2015-08-26T15:36:01.787134 #28814] DEBUG -- : nsupdate: executed - update add 92.10.168.192.in-addr.arpa. 86400 IN PTR voss-foreman1.example.local D, [2015-08-26T15:36:01.862837 #28814] DEBUG -- : nsupdate: errors Answer: ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 27645 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;10.168.192.in-addr.arpa. IN SOA ;; TSIG PSEUDOSECTION: rndc-key. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1440596161 300 16 FL0+a18XfqVafiz9YScw8Q== 27645 NOERROR 0 E, [2015-08-26T15:36:01.868867 #28814] ERROR -- : Update errors: Answer: ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 27645 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;10.168.192.in-addr.arpa. IN SOA ;; TSIG PSEUDOSECTION: rndc-key. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1440596161 300 16 FL0+a18XfqVafiz9YScw8Q== 27645 NOERROR 0 D, [2015-08-26T15:36:01.869340 #28814] DEBUG -- : /usr/share/foreman-proxy/modules/dns/providers/nsupdate.rb:84:in `nsupdate' @
Updated by Anonymous over 8 years ago
Looks like your update policy for both zones specifies "foreman" key, while "rndc-key" is actually used for the update.
Updated by Lukas Müller over 8 years ago
After generating the key with:
ddns-confgen -k foreman -a hmac-md5you should execute
nsupdate -k /etc/foreman.key
[root@voss-centos1 etc]# ddns-confgen -k foreman -a hmac-md5
# To activate this key, place the following in named.conf, and
# in a separate keyfile on the system or systems from which nsupdate
# will be run:
key "foreman" {
algorithm hmac-md5;
secret "****************";
};
# Then, in the "zone" statement for each zone you wish to dynamically
# update, place an "update-policy" statement granting update permission
# to this key. For example, the following statement grants this key
# permission to update any name within the zone:
update-policy {
grant foreman zonesub ANY;
};
# After the keyfile has been placed, the following command will
# execute nsupdate using this key:
nsupdate -k <keyfile>
But this don't seems to work. Look what's happening when try to run this command.
[root@voss-centos1 named]# nsupdate -k /etc/foreman.key > >
The only way to come out from this command ist to type quit in there. How can i use it the right way?
Updated by Anonymous over 8 years ago
By default smart-proxy uses the key found in '/etc/rndc.key" file. You'll need to update dns module configuration (either in dns.yml or dns_nsupdate.yml, depending on the version), dns_key parameter to point to your key file.
Updated by Lukas Müller over 8 years ago
I was able to fix it.
DNS-Log said, that it wasn't able to create a file in the
/var/nameddirectory.
Aug 26 16:21:41 ServerName named[33117]: /var/named/3.2.1.rev.jnl: create: permission denied
After executing
chown -R named:named /var/named/dns reverse entry and provisioning works.
I also changed the key file in
dns.ymlto
key_file: '/etc/foreman.key'like recommended in comment # 7 to get it work.
Thank you for your help!
For others who read this: Don't forget to look @/var/log/messages, where named ist speaking. The Foreman-proxy-log is just a piece of the puzzle.