Support #11575
closedsmart-proxy can't update ns in bind
Description
Hello,
i configured Bind to communicate with the foreman-proxy via the web ui when provisioning a new host.
It fails at creating a reverse DNS-Entry in bind. (Error 400 bad request).
Here's my named.conf:
@options { directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; }; controls { inet 127.0.0.1 allow { localhost; } keys { foreman; }; }; include "/etc/rndc.key"; include "/etc/foreman.key"; zone "10.168.192.in-addr.arpa" { type master; file "/var/named/10.168.192.rev"; update-policy { grant foreman zonesub ANY; }; # allow-update {key "foreman"; }; }; zone "example.local" { type master; file "/var/named/example.local.hosts"; update-policy { grant foreman zonesub ANY; }; # allow-update {key "foreman"; }; }; logging { category update { update_log; }; channel update_log { file "/var/named/logs/dns-update.log" versions 2 size 20m; print-time yes; print-category yes; print-severity yes; severity info; }; }; zone "." { type forward; forwarders { 10.140.79.240; }; }; @
Error-Log of Foreman-proxy:
@E, [2015-08-26T15:13:14.403595 #24454] ERROR -- : Update errors: Answer: ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 40880 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;10.168.192.in-addr.arpa. IN SOA ;; TSIG PSEUDOSECTION: rndc-key. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1440594794 300 16 ddtIA5xr2Tte8HjEHHoRrQ== 40880 NOERROR 0 192.168.10.90 - - [26/Aug/2015 15:13:14] "POST /dns/ HTTP/1.1" 400 336 0.0939 @
Do someone of you have any idea how to fix this foreman-proxy-dns-error?
Release 1.8.3
Updated by Lukas Müller over 8 years ago
The "1." and "2." can be ignored. It was written when marked it as code.
Updated by Anonymous over 8 years ago
Could you enable debug logging (in settings.yml) and post the output please?
Updated by Lukas Müller over 8 years ago
Here is the output
@D, [2015-08-26T15:36:01.767127 #28814] DEBUG -- : verifying remote client 192.168.10.90 against trusted_hosts ["voss-centos1.bafg.de"] D, [2015-08-26T15:36:01.769675 #28814] DEBUG -- : running /usr/bin/nsupdate -k /etc/rndc.key D, [2015-08-26T15:36:01.781230 #28814] DEBUG -- : nsupdate: executed - server 127.0.0.1 D, [2015-08-26T15:36:01.787134 #28814] DEBUG -- : nsupdate: executed - update add 92.10.168.192.in-addr.arpa. 86400 IN PTR voss-foreman1.example.local D, [2015-08-26T15:36:01.862837 #28814] DEBUG -- : nsupdate: errors Answer: ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 27645 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;10.168.192.in-addr.arpa. IN SOA ;; TSIG PSEUDOSECTION: rndc-key. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1440596161 300 16 FL0+a18XfqVafiz9YScw8Q== 27645 NOERROR 0 E, [2015-08-26T15:36:01.868867 #28814] ERROR -- : Update errors: Answer: ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 27645 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;10.168.192.in-addr.arpa. IN SOA ;; TSIG PSEUDOSECTION: rndc-key. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1440596161 300 16 FL0+a18XfqVafiz9YScw8Q== 27645 NOERROR 0 D, [2015-08-26T15:36:01.869340 #28814] DEBUG -- : /usr/share/foreman-proxy/modules/dns/providers/nsupdate.rb:84:in `nsupdate' @
Updated by Anonymous over 8 years ago
Looks like your update policy for both zones specifies "foreman" key, while "rndc-key" is actually used for the update.
Updated by Lukas Müller over 8 years ago
After generating the key with:
ddns-confgen -k foreman -a hmac-md5you should execute
nsupdate -k /etc/foreman.key
[root@voss-centos1 etc]# ddns-confgen -k foreman -a hmac-md5 # To activate this key, place the following in named.conf, and # in a separate keyfile on the system or systems from which nsupdate # will be run: key "foreman" { algorithm hmac-md5; secret "****************"; }; # Then, in the "zone" statement for each zone you wish to dynamically # update, place an "update-policy" statement granting update permission # to this key. For example, the following statement grants this key # permission to update any name within the zone: update-policy { grant foreman zonesub ANY; }; # After the keyfile has been placed, the following command will # execute nsupdate using this key: nsupdate -k <keyfile>
But this don't seems to work. Look what's happening when try to run this command.
[root@voss-centos1 named]# nsupdate -k /etc/foreman.key > >
The only way to come out from this command ist to type quit in there. How can i use it the right way?
Updated by Anonymous over 8 years ago
By default smart-proxy uses the key found in '/etc/rndc.key" file. You'll need to update dns module configuration (either in dns.yml or dns_nsupdate.yml, depending on the version), dns_key parameter to point to your key file.
Updated by Lukas Müller over 8 years ago
I was able to fix it.
DNS-Log said, that it wasn't able to create a file in the
/var/nameddirectory.
Aug 26 16:21:41 ServerName named[33117]: /var/named/3.2.1.rev.jnl: create: permission denied
After executing
chown -R named:named /var/named/dns reverse entry and provisioning works.
I also changed the key file in
dns.ymlto
key_file: '/etc/foreman.key'like recommended in comment # 7 to get it work.
Thank you for your help!
For others who read this: Don't forget to look @/var/log/messages, where named ist speaking. The Foreman-proxy-log is just a piece of the puzzle.