• nsupdate apparently not working for me. What am I overlooking /doing wrong?

    From Brett Delmage@Brett@BrettDelmage.ca to bind-users on Tue Jul 28 22:30:05 2020
    From Newsgroup: comp.protocols.dns.bind

    nsupdate works according to updated contents of a dynamic zonefile
    but dig does not report the added A record.

    What am I doing stupidly here?

    BIND version 1:9.16.5-1+ubuntu18.04.1
    - both authoritative and local recursive

    zone config:
    zone "ottawatch.ca"
    {
    type master;
    file "/var/lib/bind/master/ottawatch.ca";
    allow-transfer { key "pannier-xfer"; };
    notify yes;
    update-policy { grant ddns-key.ottawatch.ca subdomain ottawatch.ca.; };
    };

    [do I have the correct update-policy syntax?]
    (I also tried "update-policy local" with nsupdate -l, with same results.)


    # nsupdate -D -k ddns-key.ottawatch.ca nsupdate.script

    nsupdate.script:

    server 127.0.0.1
    zone ottawatch.ca.
    update del ddns-update.ottawatch.ca. a
    send
    update add ddns-update.ottawatch.ca. 999 a 3.4.5.8
    send

    zone DB after update and "rndc sync" executed to incorporate .jnl:

    $ORIGIN .
    $TTL 900 ; 15 minutes
    ottawatch.ca IN SOA cacloud.ottawatch.ca. hostmaster.ottawatch.ca. (
    2020072808 ; serial
    900 ; refresh (15 minutes)
    180 ; retry (3 minutes)
    2419200 ; expire (4 weeks)
    900 ; minimum (15 minutes)
    )
    NS cacloud.ottawatch.ca.
    NS pannier.ottawatch.ca.
    A 206.248.172.47
    MX 10 mail1.ottawajazzscene.ca.
    TXT "v=spf1 a ip4:206.248.172.47 -all"
    $ORIGIN ottawatch.ca.
    cacloud A 23.111.69.176
    AAAA 2607:7b00:7200:1::281a:5de2
    $TTL 999 ; 16 minutes 39 seconds
    ddns-update A 3.4.5.8 <--- nsupdate worked (it seems)
    $TTL 900 ; 15 minutes
    pannier A 206.248.172.47
    AAAA 2607:f2c0:a000:1d1::73:1



    # dig -4 @cacloud.ottawatch.ca cacloud.ottawatch.ca. a

    ; <<>> DiG 9.16.5-Ubuntu <<>> -4 @cacloud.ottawatch.ca cacloud.ottawatch.ca. a ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1862
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: 195a1192604da78e010000005f20daf7193b36ec5545d879 (good)
    ;; QUESTION SECTION:
    ;cacloud.ottawatch.ca. IN A

    ;; ANSWER SECTION:
    cacloud.ottawatch.ca. 900 IN A 23.111.69.176

    ;; Query time: 0 msec
    ;; SERVER: 23.111.69.176#53(23.111.69.176)
    ;; WHEN: Tue Jul 28 22:12:07 EDT 2020
    ;; MSG SIZE rcvd: 93

    BUT dig does not report the nsupdate-added a record (NXDOMAIN):

    # dig -4 @cacloud.ottawatch.ca ddns-key.ottawatch.ca. a

    ; <<>> DiG 9.16.5-Ubuntu <<>> -4 @cacloud.ottawatch.ca ddns-key.ottawatch.ca. a ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49598
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: 6db0ccbd0085ecca010000005f20db0f7cdb769b038236f9 (good)
    ;; QUESTION SECTION:
    ;ddns-key.ottawatch.ca. IN A

    ;; AUTHORITY SECTION:
    ottawatch.ca. 900 IN SOA cacloud.ottawatch.ca. hostmaster.ottawatch.ca. 2020072808 900 180 2419200 900

    ;; Query time: 0 msec
    ;; SERVER: 23.111.69.176#53(23.111.69.176)
    ;; WHEN: Tue Jul 28 22:12:31 EDT 2020
    ;; MSG SIZE rcvd: 133


    A record added to the dynamic zone file manually works:

    dig -4 @cacloud.ottawatch.ca bb.ottawatch.ca. a

    ; <<>> DiG 9.16.5-Ubuntu <<>> -4 @cacloud.ottawatch.ca bb.ottawatch.ca. a
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8033
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: 8feed7fd82821e9a010000005f20dc3de1670c37be1dadbc (good)
    ;; QUESTION SECTION:
    ;bb.ottawatch.ca. IN A

    ;; ANSWER SECTION:
    bb.ottawatch.ca. 900 IN A 3.4.5.9

    ;; Query time: 0 msec
    ;; SERVER: 23.111.69.176#53(23.111.69.176)
    ;; WHEN: Tue Jul 28 22:17:33 EDT 2020
    ;; MSG SIZE rcvd: 88


    END OF DETAILS

    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From Mark Andrews@marka@isc.org to Brett Delmage on Wed Jul 29 13:04:49 2020
    From Newsgroup: comp.protocols.dns.bind

    Make sure you are using the CORRECT name in the dig query. You used ddns-key.ottawatch.ca instead of ddns-update.ottawatch.ca.
    Also you can delete and add in the same UPDATE operation. Remove the
    first “send” in nsupdate.script.
    Also ottawatch.ca has DS records but the zone is not signed. You need
    to fix this as lookups are failing for anyone that is validating responses. ottawatch.ca. 86400 IN DS 63970 8 1 FE95768ADB2B2F9E87B3C6B4210D4C21766A2EC6
    ottawatch.ca. 86400 IN DS 63970 8 2 1139FAEF396A03435BD093ACA623306B3307D11163188D4D5143909D 3CEF76EC
    Mark
    On 29 Jul 2020, at 12:30, Brett Delmage <Brett@BrettDelmage.ca> wrote:

    nsupdate works according to updated contents of a dynamic zonefile but dig does not report the added A record.

    What am I doing stupidly here?

    BIND version 1:9.16.5-1+ubuntu18.04.1
    - both authoritative and local recursive

    zone config:
    zone "ottawatch.ca"
    {
    type master;
    file "/var/lib/bind/master/ottawatch.ca";
    allow-transfer { key "pannier-xfer"; };
    notify yes;
    update-policy { grant ddns-key.ottawatch.ca subdomain ottawatch.ca.; };
    };

    [do I have the correct update-policy syntax?]
    (I also tried "update-policy local" with nsupdate -l, with same results.)


    # nsupdate -D -k ddns-key.ottawatch.ca nsupdate.script

    nsupdate.script:

    server 127.0.0.1
    zone ottawatch.ca.
    update del ddns-update.ottawatch.ca. a
    send
    update add ddns-update.ottawatch.ca. 999 a 3.4.5.8
    send

    zone DB after update and "rndc sync" executed to incorporate .jnl:

    $ORIGIN .
    $TTL 900 ; 15 minutes
    ottawatch.ca IN SOA cacloud.ottawatch.ca. hostmaster.ottawatch.ca. (
    2020072808 ; serial
    900 ; refresh (15 minutes)
    180 ; retry (3 minutes)
    2419200 ; expire (4 weeks)
    900 ; minimum (15 minutes)
    )
    NS cacloud.ottawatch.ca.
    NS pannier.ottawatch.ca.
    A 206.248.172.47
    MX 10 mail1.ottawajazzscene.ca.
    TXT "v=spf1 a ip4:206.248.172.47 -all"
    $ORIGIN ottawatch.ca.
    cacloud A 23.111.69.176
    AAAA 2607:7b00:7200:1::281a:5de2
    $TTL 999 ; 16 minutes 39 seconds
    ddns-update A 3.4.5.8 <--- nsupdate worked (it seems)
    $TTL 900 ; 15 minutes
    pannier A 206.248.172.47
    AAAA 2607:f2c0:a000:1d1::73:1



    # dig -4 @cacloud.ottawatch.ca cacloud.ottawatch.ca. a

    ; <<>> DiG 9.16.5-Ubuntu <<>> -4 @cacloud.ottawatch.ca cacloud.ottawatch.ca. a
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1862
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: 195a1192604da78e010000005f20daf7193b36ec5545d879 (good)
    ;; QUESTION SECTION:
    ;cacloud.ottawatch.ca. IN A

    ;; ANSWER SECTION:
    cacloud.ottawatch.ca. 900 IN A 23.111.69.176

    ;; Query time: 0 msec
    ;; SERVER: 23.111.69.176#53(23.111.69.176)
    ;; WHEN: Tue Jul 28 22:12:07 EDT 2020
    ;; MSG SIZE rcvd: 93

    BUT dig does not report the nsupdate-added a record (NXDOMAIN):

    # dig -4 @cacloud.ottawatch.ca ddns-key.ottawatch.ca. a

    ; <<>> DiG 9.16.5-Ubuntu <<>> -4 @cacloud.ottawatch.ca ddns-key.ottawatch.ca. a
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49598
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: 6db0ccbd0085ecca010000005f20db0f7cdb769b038236f9 (good)
    ;; QUESTION SECTION:
    ;ddns-key.ottawatch.ca. IN A

    ;; AUTHORITY SECTION:
    ottawatch.ca. 900 IN SOA cacloud.ottawatch.ca. hostmaster.ottawatch.ca. 2020072808 900 180 2419200 900

    ;; Query time: 0 msec
    ;; SERVER: 23.111.69.176#53(23.111.69.176)
    ;; WHEN: Tue Jul 28 22:12:31 EDT 2020
    ;; MSG SIZE rcvd: 133


    A record added to the dynamic zone file manually works:

    dig -4 @cacloud.ottawatch.ca bb.ottawatch.ca. a

    ; <<>> DiG 9.16.5-Ubuntu <<>> -4 @cacloud.ottawatch.ca bb.ottawatch.ca. a
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8033
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: 8feed7fd82821e9a010000005f20dc3de1670c37be1dadbc (good)
    ;; QUESTION SECTION:
    ;bb.ottawatch.ca. IN A

    ;; ANSWER SECTION:
    bb.ottawatch.ca. 900 IN A 3.4.5.9

    ;; Query time: 0 msec
    ;; SERVER: 23.111.69.176#53(23.111.69.176)
    ;; WHEN: Tue Jul 28 22:17:33 EDT 2020
    ;; MSG SIZE rcvd: 88


    END OF DETAILS

    _______________________________________________
    Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

    ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


    bind-users mailing list
    bind-users@lists.isc.org
    https://lists.isc.org/mailman/listinfo/bind-users
    --
    Mark Andrews, ISC
    1 Seymour St., Dundas Valley, NSW 2117, Australia
    PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
    --- Synchronet 3.18a-Linux NewsLink 1.113