CNAME restrictions

2020-08-04 Thread Leroy Tennison 
I have a situation where, due to the system's location (IP subnet), its DNS 
name is ..datavoiceint.com.  We have a 
certificate for *.datavoiceint.com which we prefer to use instead of having to 
acquire a certificate for .datavoiceint.com since this is a 
one-off internal-only web server.  Our (ISC) DNS servers (version 
9.10.3-P4-Ubuntu that comes with Ubuntu 16.04) serve both domains.  I thought a 
solution would be to use a CNAME but, when I attempt this (via nsupdate with 
the update key which works for A and PTR adds and deletes) I get (on "send"):

 TSIG error with server: expected a TSIG or SIG(0)
update failed: NOTIMP

What I tried (on both .datavoiceint.com. and 
datavoiceint.com.) was:

update add .datavoiceint.com. 86400 IN CNAME ..datavoiceint.com.

Apparently I'm mis-understanding CNAME usage, if I actually can use a CNAME 
record what should the format be (or do I need to configure bind differently to 
use it since part of the reply is NOTIMP)?  If that's not possible due to CNAME 
restrictions are there any alternatives?

Thanks for your help.

Harriscomputer

Leroy Tennison
Network Information/Cyber Security Specialist
E: le...@datavoiceint.com
P:


[cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG]


2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com


This message has been sent on behalf of a company that is part of the Harris 
Operating Group of Constellation Software Inc.

If you prefer not to be contacted by Harris Operating Group please notify 
us.



This message is intended exclusively for the individual or entity to which it 
is addressed. This communication may contain information that is proprietary, 
privileged or confidential or otherwise legally exempt from disclosure. If you 
are not the named addressee, you are not authorized to read, print, retain, 
copy or disseminate this message or any part of it. If you have received this 
message in error, please notify the sender immediately by e-mail and delete all 
copies of the message.




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME restrictions

2020-08-04 Thread Matus UHLAR - fantomas 

On 04.08.20 17:29, Leroy Tennison wrote:

I have a situation where, due to the system's location (IP subnet), its DNS
name is ..datavoiceint.com.  We have a
certificate for *.datavoiceint.com which we prefer to use


wildcard in certificates only covers one level of subdomains, so
*.datavoiceint.com will cover .datavoiceint.com but not
anything under it.

you will have to strip the   part or get other certificate.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME restrictions

2020-08-04 Thread Kevin Darcy 
[ Classification Level: GENERAL BUSINESS ]

Offhand, it looks like the server side is configured to only allow
authenticated updates, but you're sending an unauthenticated one.

A more nuanced issue might be if the ID you're running the nsupdate as,
can't read the key files, so even though you may have intended the update
to be signed, it actually wasn't.

Did you try adding a -d to the nsupdate command? If so, does the debug
output give any clues?

 -
Kevin

On Tue, Aug 4, 2020 at 1:30 PM Leroy Tennison 
wrote:

> I have a situation where, due to the system's location (IP subnet), its
> DNS name is ..datavoiceint.com.  We have a
> certificate for *.datavoiceint.com which we prefer to use instead of
> having to acquire a certificate for .datavoiceint.com
> since this is a one-off internal-only web server.  Our (ISC) DNS servers
> (version 9.10.3-P4-Ubuntu that comes with Ubuntu 16.04) serve both
> domains.  I thought a solution would be to use a CNAME but, when I attempt
> this (via nsupdate with the update key which works for A and PTR adds and
> deletes) I get (on "send"):
>
>  TSIG error with server: expected a TSIG or SIG(0)
> update failed: NOTIMP
>
> What I tried (on both .datavoiceint.com. and
> datavoiceint.com.) was:
>
> update add .datavoiceint.com. 86400 IN CNAME . subdomain>.datavoiceint.com.
>
> Apparently I'm mis-understanding CNAME usage, if I actually can use a
> CNAME record what should the format be (or do I need to configure bind
> differently to use it since part of the reply is NOTIMP)?  If that's not
> possible due to CNAME restrictions are there any alternatives?
>
> Thanks for your help.
>
> Harriscomputer
>
>
> *Leroy Tennison*Network Information/Cyber Security Specialist
> E: le...@datavoiceint.com
> P:
>
>
> 2220 Bush Dr
> McKinney, Texas
> 75070
> www.datavoiceint.com 
>
> This message has been sent on behalf of a company that is part of the
> Harris Operating Group of Constellation Software Inc.
>
> If you prefer not to be contacted by Harris Operating Group please notify
> us .
>
>
>
> This message is intended exclusively for the individual or entity to which
> it is addressed. This communication may contain information that is
> proprietary, privileged or confidential or otherwise legally exempt from
> disclosure. If you are not the named addressee, you are not authorized to
> read, print, retain, copy or disseminate this message or any part of it. If
> you have received this message in error, please notify the sender
> immediately by e-mail and delete all copies of the message.
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME restrictions

2020-08-04 Thread Leroy Tennison 
Thank you, -d surfaced the issue - now to decide what to do about it...


From: bind-users  on behalf of Kevin Darcy 

Sent: Tuesday, August 4, 2020 3:28 PM
To: bind-users@lists.isc.org 
Subject: [EXTERNAL] Re: CNAME restrictions


CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.


[ Classification Level: GENERAL BUSINESS ]

Offhand, it looks like the server side is configured to only allow 
authenticated updates, but you're sending an unauthenticated one.

A more nuanced issue might be if the ID you're running the nsupdate as, can't 
read the key files, so even though you may have intended the update to be 
signed, it actually wasn't.

Did you try adding a -d to the nsupdate command? If so, does the debug output 
give any clues?

 - Kevin

On Tue, Aug 4, 2020 at 1:30 PM Leroy Tennison 
mailto:le...@datavoiceint.com>> wrote:
I have a situation where, due to the system's location (IP subnet), its DNS 
name is ..datavoiceint.com.
  We have a certificate for 
*.datavoiceint.com
 which we prefer to use instead of having to acquire a certificate for 
.datavoiceint.com
 since this is a one-off internal-only web server.  Our (ISC) DNS servers 
(version 9.10.3-P4-Ubuntu that comes with Ubuntu 16.04) serve both domains.  I 
thought a solution would be to use a CNAME but, when I attempt this (via 
nsupdate with the update key which works for A and PTR adds and deletes) I get 
(on "send"):

 TSIG error with server: expected a TSIG or SIG(0)
update failed: NOTIMP

What I tried (on both .datavoiceint.com.
 and 
datavoiceint.com.)
 was:

update add 
.datavoiceint.com.
 86400 IN CNAME ..datavoiceint.com.

Apparently I'm mis-understanding CNAME usage, if I actually can use a CNAME 
record what should the format be (or do I need to configure bind differently to 
use it since part of the reply is NOTIMP)?  If that's not possible due to CNAME 
restrictions are there any alternatives?

Thanks for your help.

Harriscomputer

Leroy Tennison
Network Information/Cyber Security Specialist
E: le...@datavoiceint.com
P:


[cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG]


2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com


This message has been sent on behalf of a company that is part of the Harris 
Operating Group of Constellation Software Inc.

If you prefer not to be contacted by Harris Operating Group please notify 
us.



This message is intended exclusively for the individual or entity to which it 
is addressed. This communication may contain information that is proprietary, 
privileged or confidential or otherwise legally exempt from disclosure. If you 
are not the named addressee, you are not authorized to read, print, retain, 
copy or disseminate this message or any part of it. If you have received this 
message in error, please notify the sender immediately by e-mail and delete all 
copies of the message.





___
Please visit 
https://lists.isc.org/mailman/listinfo/bind-users

Cannot get nsupdate to work (for letsencrypt acme.sh client)

2020-08-04 Thread Brett Delmage 

I'm having a problem getting nsupdate to work, as shown below.

(Despite reading the man pages I'm not 100% clear about the exact scope of 
the grant options and it may not be right. Examples would be helpful.)


I generated the key:

ddns-confgen -k acmesh-ottawatch. -z ottawatch.ca
# To activate this key, place the following in named.conf, and
# in a separate keyfile on the system or systems from which nsupdate
# will be run:
key "acmesh-ottawatch." {
algorithm hmac-sha256;
secret ;
};

- this is included in my named.conf
My config file zone entry has the statements

check-names warn;
update-policy {  grant ottawatch-acmesh. name _acme-challenge.ottawatch.ca. 
txt;  };
to permit the update and limit the scope.

As I understand, I need check-names (warn | ignore) because 
_acme-challenge has an underscore. (How the heck did LE come up with an 
incompatible name?)



Here's my nsupdate script:
# cat test-acme

server cacloud.ottawatch.ca
zone ottawatch.ca
debug
update add _acme-challenge.ottawatch.ca. 999 TXT "test 1"
send


# nsupdate -k acmesh-ottawatch.ca test-acme

Sending update to 2607:7b00:7200:1::281a:5de2#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  42504
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;ottawatch.ca.  IN  SOA

;; UPDATE SECTION:
_acme-challenge.ottawatch.ca. 999 INTXT "test 1"

;; TSIG PSEUDOSECTION:
acmesh-ottawatch.   0   ANY TSIGhmac-sha256. 1596580550 
300 32 966kN1nqxXRP+smNYmqpGKUIepEV0gkuOVz42ywCY0g= 42504 NOERROR 0



Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:  42504
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;ottawatch.ca.  IN  SOA

;; TSIG PSEUDOSECTION:
acmesh-ottawatch.   0   ANY TSIGhmac-sha256. 1596580550 
300 32 eqUVlwgfwGnW0B7UX+WaB4mgqMgh9Aia/YauLRLa054= 42504 NOERROR 0


Sending update to 2607:7b00:7200:1::281a:5de2#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  32884
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;ottawatch.ca.  IN  SOA

;; TSIG PSEUDOSECTION:
acmesh-ottawatch.   0   ANY TSIGhmac-sha256. 1596580550 
300 32 M+Lr8IckyEVknrX+jHoDQYFrlGxzyQ/PYHX9WwpNBZw= 32884 NOERROR 0




# dig _acme-challenge.ottawatch.ca. txt
- the TXT RR has not been added

; <<>> DiG 9.16.5-Ubuntu <<>> _acme-challenge.ottawatch.ca. txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45640
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: f735fda5ecb9479301005f29e1bed617055d59cb5d75 (good)
;; QUESTION SECTION:
;_acme-challenge.ottawatch.ca.  IN  TXT

;; AUTHORITY SECTION:
ottawatch.ca.   900 IN  SOA cacloud.ottawatch.ca. 
hostmaster.ottawatch.ca. 2020072912 900 180 2419200 900


;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Aug 04 18:31:26 EDT 2020
;; MSG SIZE  rcvd: 140


What am I missing ort doing wrong, please?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Cannot get nsupdate to work (for letsencrypt acme.sh client)

2020-08-04 Thread Mark Andrews 
Thanks for full details.

Your key name usage is not consistent.  acmesh-ottawatch != ottawatch-acmesh

Why are you adding `check-names warn;`?  check-names does NOT apply to TXT
records.

Mark

> On 5 Aug 2020, at 08:44, Brett Delmage  wrote:
> 
> I'm having a problem getting nsupdate to work, as shown below.
> 
> (Despite reading the man pages I'm not 100% clear about the exact scope of 
> the grant options and it may not be right. Examples would be helpful.)
> 
> I generated the key:
> 
> ddns-confgen -k acmesh-ottawatch. -z ottawatch.ca
> # To activate this key, place the following in named.conf, and
> # in a separate keyfile on the system or systems from which nsupdate
> # will be run:
> key "acmesh-ottawatch." {
>algorithm hmac-sha256;
>secret ;
> };
> 
> - this is included in my named.conf
> My config file zone entry has the statements
> 
> check-names warn;
> update-policy {  grant ottawatch-acmesh. name _acme-challenge.ottawatch.ca. 
> txt;  };
> to permit the update and limit the scope.
> 
> As I understand, I need check-names (warn | ignore) because _acme-challenge 
> has an underscore. (How the heck did LE come up with an incompatible name?)
> 
> 
> Here's my nsupdate script:
> # cat test-acme
> 
> server cacloud.ottawatch.ca
> zone ottawatch.ca
> debug
> update add _acme-challenge.ottawatch.ca. 999 TXT "test 1"
> send
> 
> 
> # nsupdate -k acmesh-ottawatch.ca test-acme
> 
> Sending update to 2607:7b00:7200:1::281a:5de2#53
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  42504
> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
> ;; ZONE SECTION:
> ;ottawatch.ca.  IN  SOA
> 
> ;; UPDATE SECTION:
> _acme-challenge.ottawatch.ca. 999 INTXT "test 1"
> 
> ;; TSIG PSEUDOSECTION:
> acmesh-ottawatch.   0   ANY TSIGhmac-sha256. 1596580550 300 
> 32 966kN1nqxXRP+smNYmqpGKUIepEV0gkuOVz42ywCY0g= 42504 NOERROR 0
> 
> 
> Reply from update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:  42504
> ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
> ;; ZONE SECTION:
> ;ottawatch.ca.  IN  SOA
> 
> ;; TSIG PSEUDOSECTION:
> acmesh-ottawatch.   0   ANY TSIGhmac-sha256. 1596580550 300 
> 32 eqUVlwgfwGnW0B7UX+WaB4mgqMgh9Aia/YauLRLa054= 42504 NOERROR 0
> 
> Sending update to 2607:7b00:7200:1::281a:5de2#53
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  32884
> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
> ;; ZONE SECTION:
> ;ottawatch.ca.  IN  SOA
> 
> ;; TSIG PSEUDOSECTION:
> acmesh-ottawatch.   0   ANY TSIGhmac-sha256. 1596580550 300 
> 32 M+Lr8IckyEVknrX+jHoDQYFrlGxzyQ/PYHX9WwpNBZw= 32884 NOERROR 0
> 
> 
> 
> # dig _acme-challenge.ottawatch.ca. txt
> - the TXT RR has not been added
> 
> ; <<>> DiG 9.16.5-Ubuntu <<>> _acme-challenge.ottawatch.ca. txt
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45640
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: f735fda5ecb9479301005f29e1bed617055d59cb5d75 (good)
> ;; QUESTION SECTION:
> ;_acme-challenge.ottawatch.ca.  IN  TXT
> 
> ;; AUTHORITY SECTION:
> ottawatch.ca.   900 IN  SOA cacloud.ottawatch.ca. 
> hostmaster.ottawatch.ca. 2020072912 900 180 2419200 900
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Aug 04 18:31:26 EDT 2020
> ;; MSG SIZE  rcvd: 140
> 
> 
> What am I missing ort doing wrong, please?
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Invalid class in dns query

2020-08-04 Thread Trevor Woolley 
Hi all,

Looking for a temporary work around, while an issue gets resolved. I have a
DNS query coming in with an invalid class requested (65 or 0x41).

The workaround I’m looking for is one that just uses the IN class (1 or
0x01), if I have to duplicate all records required into “CLASS65” it could
be a lengthy process.

Currently running BIND 9.14.5 on a Centos7 OS.

Rgds
Trevor
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Cannot get nsupdate to work (for letsencrypt acme.sh client)

2020-08-04 Thread Brett Delmage 

On Wed, 5 Aug 2020, Mark Andrews wrote:


Your key name usage is not consistent.  acmesh-ottawatch != ottawatch-acmesh


Thank you! Fixed and working.


Why are you adding `check-names warn;`?  check-names does NOT apply to TXT
records.


Previously I was getting the error "bad owner name (check-names)".

So a search for that error led me to this page
https://linux.m2osw.com/setting-bind-get-letsencrypt-wildcards-work-your-system-using-rfc-2136

which states

"The check-names option is required in case the name letsencrypt adds 
_acme-challenge to your list of known sub-domains. The underscore 
character is not liked by BIND9. This is because it is not part of the 
domain name specification. It is not allowed at all. By default BIND will 
generate an error and log it and skip over that entry entirely (i.e. it 
will not serve that zone at all, albeit all the other zones will work just 
fine.)


You can also set this parameter to ignore. In that case, no warning is 
emitted in your logs.


Here is the error you get ("bad owner name") when a name uses characters 
that are not supposed to be used in a domain name:


09-Feb-2019 03:02:31.988 general: error:
   /var/lib/bind/restarchitect.com.zone:31:
  _acme-challenge.restarchitect.com:
  bad owner name (check-names)

The check-names option is currently the only way to fix this problem (i.e. 
you can't use an escape for that one specific letter.)"


---

Is this incorrect? My same error went away when I added it. I certainly 
was not familar with the option earlier.


I am running BIND 9.16.5 from Ondřej's PPA for Ubuntu 18.04

That page's "Create and Setup an HMAC Key" uses dnssec-keygen to create 
the dynamic key, which I understand has been deprecated in newer versions. 
Is that correct? (as I mentioned, I used ddns-confgen.)




Thanks for full details.


Thank you for looking at them!

Often, preparing a complete help request helps me see something I am 
overlooking that is incorrect, so then I don't need to send a help plea 
and look like an idiot. Just not in this report, although an earlier 
version led me to seeing another problem, which was good.


Brett





Mark


On 5 Aug 2020, at 08:44, Brett Delmage  wrote:

I'm having a problem getting nsupdate to work, as shown below.

(Despite reading the man pages I'm not 100% clear about the exact scope of the 
grant options and it may not be right. Examples would be helpful.)

I generated the key:

ddns-confgen -k acmesh-ottawatch. -z ottawatch.ca
# To activate this key, place the following in named.conf, and
# in a separate keyfile on the system or systems from which nsupdate
# will be run:
key "acmesh-ottawatch." {
   algorithm hmac-sha256;
   secret ;
};

- this is included in my named.conf
My config file zone entry has the statements

check-names warn;
update-policy {  grant ottawatch-acmesh. name _acme-challenge.ottawatch.ca. 
txt;  };
to permit the update and limit the scope.

As I understand, I need check-names (warn | ignore) because _acme-challenge has 
an underscore. (How the heck did LE come up with an incompatible name?)


Here's my nsupdate script:
# cat test-acme

server cacloud.ottawatch.ca
zone ottawatch.ca
debug
update add _acme-challenge.ottawatch.ca. 999 TXT "test 1"
send


# nsupdate -k acmesh-ottawatch.ca test-acme

Sending update to 2607:7b00:7200:1::281a:5de2#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  42504
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;ottawatch.ca.  IN  SOA

;; UPDATE SECTION:
_acme-challenge.ottawatch.ca. 999 INTXT "test 1"

;; TSIG PSEUDOSECTION:
acmesh-ottawatch.   0   ANY TSIGhmac-sha256. 1596580550 300 32 
966kN1nqxXRP+smNYmqpGKUIepEV0gkuOVz42ywCY0g= 42504 NOERROR 0


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:  42504
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;ottawatch.ca.  IN  SOA

;; TSIG PSEUDOSECTION:
acmesh-ottawatch.   0   ANY TSIGhmac-sha256. 1596580550 300 32 
eqUVlwgfwGnW0B7UX+WaB4mgqMgh9Aia/YauLRLa054= 42504 NOERROR 0

Sending update to 2607:7b00:7200:1::281a:5de2#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  32884
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;ottawatch.ca.  IN  SOA

;; TSIG PSEUDOSECTION:
acmesh-ottawatch.   0   ANY TSIGhmac-sha256. 1596580550 300 32 
M+Lr8IckyEVknrX+jHoDQYFrlGxzyQ/PYHX9WwpNBZw= 32884 NOERROR 0



# dig _acme-challenge.ottawatch.ca. txt
- the TXT RR has not been added

; <<>> DiG 9.16.5-Ubuntu <<>> _acme-challenge.ottawatch.ca. txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45640
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:;

Re: Cannot get nsupdate to work (for letsencrypt acme.sh client)

2020-08-04 Thread Mark Andrews 


> On 5 Aug 2020, at 13:12, Brett Delmage  wrote:
> 
> On Wed, 5 Aug 2020, Mark Andrews wrote:
> 
>> Your key name usage is not consistent.  acmesh-ottawatch != ottawatch-acmesh
> 
> Thank you! Fixed and working.
> 
>> Why are you adding `check-names warn;`?  check-names does NOT apply to TXT
>> records.
> 
> Previously I was getting the error "bad owner name (check-names)".
> 
> So a search for that error led me to this page
> https://linux.m2osw.com/setting-bind-get-letsencrypt-wildcards-work-your-system-using-rfc-2136
> 
> which states
> 
> "The check-names option is required in case the name letsencrypt adds 
> _acme-challenge to your list of known sub-domains. The underscore character 
> is not liked by BIND9. This is because it is not part of the domain name 
> specification. It is not allowed at all. By default BIND will generate an 
> error and log it and skip over that entry entirely (i.e. it will not serve 
> that zone at all, albeit all the other zones will work just fine.)
> 
> You can also set this parameter to ignore. In that case, no warning is 
> emitted in your logs.
> 
> Here is the error you get ("bad owner name") when a name uses characters that 
> are not supposed to be used in a domain name:
> 
> 09-Feb-2019 03:02:31.988 general: error:
>   /var/lib/bind/restarchitect.com.zone:31:
>  _acme-challenge.restarchitect.com:
>  bad owner name (check-names)

Check-names applies to elements of records that are supposed to be HOSTNAMES or 
MAIL DOMAINS (both have the same syntax requirements).  In some cases it is the 
owner name and others it is elements of the rdata fields.  For PTR it only 
applies to records that end in in-addr.arpa and ip6.arpa as they are supposed 
to point to HOSTNAMES.  HOSTNAMES and MAIL DOMAINS are restricted to labels 
composed of letters, digits and hyphens (LDH).

The full list of records that check-names currently applies to are: A, , 
MX, ASFDB, MINFO, NS, PTR, RP, RT, SOA, A6 and SRV.

If I use the example zone on that page *no* errors are reported.

% named-checkzone restarchitect.com restarchitect.com
zone restarchitect.com/IN: loaded serial 1309082308
OK
% cat restarchitect.com
restarchitect.com.86400INSOAns1.m2osw.com. 
hostmaster.m2osw.com. 1309082308 10800 180 1209600 300
restarchitect.com.86400INNSns1.m2osw.com.
restarchitect.com.86400INNSns2.m2osw.com.
restarchitect.com.86400INA10.0.0.1
_acme-challenge.restarchitect.com. 86400 IN TXT"test"
w.restarchitect.com.86400INA10.0.0.1
ww.restarchitect.com.86400INA10.0.0.1
www.restarchitect.com.86400INA10.0.0.1
.restarchitect.com.86400INA10.0.0.1
% 

If I modify restarchitect.com to have a A record at 
_acme-challenge.restarchitect.com then errors will be reported.
On line 6 of restarchitect.com the owner name _acme-challenge.restarchitect.com 
is bad.

% named-checkzone restarchitect.com restarchitect.com
restarchitect.com:6: _acme-challenge.restarchitect.com: bad owner name 
(check-names)
zone restarchitect.com/IN: loaded serial 1309082308
OK
% cat restarchitect.com
restarchitect.com.86400INSOAns1.m2osw.com. 
hostmaster.m2osw.com. 1309082308 10800 180 1209600 300
restarchitect.com.86400INNSns1.m2osw.com.
restarchitect.com.86400INNSns2.m2osw.com.
restarchitect.com.86400INA10.0.0.1
_acme-challenge.restarchitect.com. 86400 IN TXT"test"
_acme-challenge.restarchitect.com. 86400 IN A10.0.0.1
w.restarchitect.com.86400INA10.0.0.1
ww.restarchitect.com.86400INA10.0.0.1
www.restarchitect.com.86400INA10.0.0.1
.restarchitect.com.86400INA10.0.0.1
%

Mark

> The check-names option is currently the only way to fix this problem (i.e. 
> you can't use an escape for that one specific letter.)"
> 
> ---
> 
> Is this incorrect? My same error went away when I added it. I certainly was 
> not familar with the option earlier.
> 
> I am running BIND 9.16.5 from Ondřej's PPA for Ubuntu 18.04
> 
> That page's "Create and Setup an HMAC Key" uses dnssec-keygen to create the 
> dynamic key, which I understand has been deprecated in newer versions. Is 
> that correct? (as I mentioned, I used ddns-confgen.)
> 
> 
>> Thanks for full details.
> 
> Thank you for looking at them!
> 
> Often, preparing a complete help request helps me see something I am 
> overlooking that is incorrect, so then I don't need to send a help plea and 
> look like an idiot. Just not in this report, although an earlier version led 
> me to seeing another problem, which was good.
> 
> Brett
> 
>> 
>> 
>> 
>> Mark
>> 
>>> On 5 Aug 2020, at 08:44, Brett Delmage  wrote:
>>> 
>>> I'm having a problem getting nsupdate to work, as shown below.
>>> 
>>> (Despite reading the man pages I'm not 100% clear about the exact scope of 
>>> the grant optio