Support #11575
closed
smart-proxy can't update ns in bind
Added by Lukas Müller over 8 years ago.
Updated over 8 years ago.
Description
Hello,
i configured Bind to communicate with the foreman-proxy via the web ui when provisioning a new host.
It fails at creating a reverse DNS-Entry in bind. (Error 400 bad request).
Here's my named.conf:
@options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
};
controls { inet 127.0.0.1 allow { localhost; } keys { foreman; }; };
include "/etc/rndc.key";
include "/etc/foreman.key";
zone "10.168.192.in-addr.arpa" {
type master;
file "/var/named/10.168.192.rev";
update-policy {
grant foreman zonesub ANY;
};
# allow-update {key "foreman"; };
};
zone "example.local" {
type master;
file "/var/named/example.local.hosts";
update-policy {
grant foreman zonesub ANY;
};
# allow-update {key "foreman"; };
};
logging
{
category update { update_log; };
channel update_log
{
file "/var/named/logs/dns-update.log" versions 2 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
};
zone "." {
type forward;
forwarders {
10.140.79.240;
};
};
@
Error-Log of Foreman-proxy:
@E, [2015-08-26T15:13:14.403595 #24454] ERROR -- : Update errors: Answer:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 40880
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;10.168.192.in-addr.arpa. IN SOA
;; TSIG PSEUDOSECTION:
rndc-key. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1440594794 300 16 ddtIA5xr2Tte8HjEHHoRrQ== 40880 NOERROR 0
192.168.10.90 - - [26/Aug/2015 15:13:14] "POST /dns/ HTTP/1.1" 400 336 0.0939
@
Do someone of you have any idea how to fix this foreman-proxy-dns-error?
Release 1.8.3
- Description updated (diff)
The "1." and "2." can be ignored. It was written when marked it as code.
Could you enable debug logging (in settings.yml) and post the output please?
Here is the output
@D, [2015-08-26T15:36:01.767127 #28814] DEBUG -- : verifying remote client 192.168.10.90 against trusted_hosts ["voss-centos1.bafg.de"]
D, [2015-08-26T15:36:01.769675 #28814] DEBUG -- : running /usr/bin/nsupdate -k /etc/rndc.key
D, [2015-08-26T15:36:01.781230 #28814] DEBUG -- : nsupdate: executed - server 127.0.0.1
D, [2015-08-26T15:36:01.787134 #28814] DEBUG -- : nsupdate: executed - update add 92.10.168.192.in-addr.arpa. 86400 IN PTR voss-foreman1.example.local
D, [2015-08-26T15:36:01.862837 #28814] DEBUG -- : nsupdate: errors
Answer:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 27645
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;10.168.192.in-addr.arpa. IN SOA
;; TSIG PSEUDOSECTION:
rndc-key. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1440596161 300 16 FL0+a18XfqVafiz9YScw8Q== 27645 NOERROR 0
E, [2015-08-26T15:36:01.868867 #28814] ERROR -- : Update errors: Answer:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 27645
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;10.168.192.in-addr.arpa. IN SOA
;; TSIG PSEUDOSECTION:
rndc-key. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1440596161 300 16 FL0+a18XfqVafiz9YScw8Q== 27645 NOERROR 0
D, [2015-08-26T15:36:01.869340 #28814] DEBUG -- : /usr/share/foreman-proxy/modules/dns/providers/nsupdate.rb:84:in `nsupdate'
@
Looks like your update policy for both zones specifies "foreman" key, while "rndc-key" is actually used for the update.
After generating the key with:
ddns-confgen -k foreman -a hmac-md5
you should execute
nsupdate -k /etc/foreman.key
[root@voss-centos1 etc]# ddns-confgen -k foreman -a hmac-md5
# To activate this key, place the following in named.conf, and
# in a separate keyfile on the system or systems from which nsupdate
# will be run:
key "foreman" {
algorithm hmac-md5;
secret "****************";
};
# Then, in the "zone" statement for each zone you wish to dynamically
# update, place an "update-policy" statement granting update permission
# to this key. For example, the following statement grants this key
# permission to update any name within the zone:
update-policy {
grant foreman zonesub ANY;
};
# After the keyfile has been placed, the following command will
# execute nsupdate using this key:
nsupdate -k <keyfile>
But this don't seems to work. Look what's happening when try to run this command.
[root@voss-centos1 named]# nsupdate -k /etc/foreman.key
>
>
The only way to come out from this command ist to type quit in there. How can i use it the right way?
By default smart-proxy uses the key found in '/etc/rndc.key" file. You'll need to update dns module configuration (either in dns.yml or dns_nsupdate.yml, depending on the version), dns_key parameter to point to your key file.
I was able to fix it.
DNS-Log said, that it wasn't able to create a file in the
/var/named
directory.
Aug 26 16:21:41 ServerName named[33117]: /var/named/3.2.1.rev.jnl: create: permission denied
After executing
chown -R named:named /var/named/
dns reverse entry and provisioning works.
I also changed the key file in
dns.yml
to
key_file: '/etc/foreman.key'
like recommended in comment # 7 to get it work.
Thank you for your help!
For others who read this: Don't forget to look @/var/log/messages, where named ist speaking. The Foreman-proxy-log is just a piece of the puzzle.
- Status changed from New to Resolved
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by Anonymous