Bind nsupdate command getting REFUSED error

2k views Asked by At

I am using nsupdate command to update a name zone, but I receive the error message update failed: REFUSED. I created the key use "rndc-confgen -a -c /etc/remote_rndc_key"

My named.conf is as follows

options {
        listen-on port 53 { 9.82.159.110; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        secroots-file   "/var/named/data/named.secroots";
        recursing-file  "/var/named/data/named.recursing";
        allow-query     { any; };
        allow-update {key remote_rndc_key; };
        recursion yes;
        dnssec-enable no;
        dnssec-validation no;
        pid-file "/run/named/named.pid";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity debug 3;
        };
};
zone "." IN {
        type hint;
        file "named.ca";
};
include "/etc/remote_rndc_key";
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
zone "test.com" IN {
        type master;
        file "test.com.zone";
};
zone "82.9.in-addr.arpa" IN {
        type master;
        file "test.com.local";
};
key "remote_rndc_key" {
        algorithm hmac-md5;
        secret "lWB9P5pwaqO3FEb7GsFZkw==";
};
controls {
        inet 9.82.159.110 port 953
                allow { 9.82.224.110; } keys { "remote_rndc_key"; };
 };

/etc/remote_rndc_key:

key "rndc-key" {
        algorithm hmac-md5;
        secret "lWB9P5pwaqO3FEb7GsFZkw==";
};

/var/named/test.com.zone:

$TTL 1D
@       IN SOA  ns1  rname.invalid. (
                                        2019062901      ; serial
                                        5M      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns1
ns1     IN A    9.82.159.110
www     IN A    9.82.100.100

use nsupdte:

[root@localhost tmp]# nsupdate -v -d  -k  ./remote_rndc_key
Creating key...
Creating key...
namefromtext
keycreate
> server 9.82.159.110
> update add ftps.test.com 600 A 1.1.1.2
> send
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:  40666
;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;ftps.test.com.                 IN      SOA

;; AUTHORITY SECTION:
test.com.               0       IN      SOA     ns1.test.com. rname.invalid. 2019062901 300 3600 604800 10800

;; TSIG PSEUDOSECTION:
rndc-key.               0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1649854961 300 16 MFdWnAJcNEQ17QovaBmzTw== 40666 NOERROR 0

Found zone name: test.com
The master is: ns1.test.com
Sending update to 9.82.159.110#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  59745
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
ftps.test.com.          600     IN      A       1.1.1.2

;; TSIG PSEUDOSECTION:
rndc-key.               0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1649854961 300 16 vJjzs0bT4QxHW40mL/MT7g== 59745 NOERROR 0


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:  59745
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;test.com.                      IN      SOA

;; TSIG PSEUDOSECTION:
rndc-key.               0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1649854961 300 16 FAcO+t5JUdOJdC1mRuHNeA== 59745 NOERROR 0

named server log as below:

[root@localhost named]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2022-04-13 20:36:14 CST; 29min ago
  Process: 3371415 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, >
  Process: 3371418 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 3371421 (named)
    Tasks: 35
   Memory: 88.8M
   CGroup: /system.slice/named.service
           └─3371421 /usr/sbin/named -u named -c /etc/named.conf

Apr 13 20:36:32 localhost.localdomain named[3371421]: client @0x7ff1f0108770 9.82.224.110#59471/key rndc-key: signer "rndc-key" denied

What can be the reason?

3

There are 3 answers

0
Gaziz On

/etc/named.conf:

  zone "test.com" IN {
    type master;
    file "test.com.zone";
    allow-update { any; }; <--- allow updates anywhere
  };

/etc/remote_rndc_key:

  key "remote_rndc_key" { <--- change name here
    algorithm hmac-md5;
    secret "lWB9P5pwaqO3FEb7GsFZkw==";
  };
0
J.Heng On

I confused the key name with the key file name:

   /etc/remote_rndc_key:
    key "rndc-key" {
        algorithm hmac-md5;
        secret "lWB9P5pwaqO3FEb7GsFZkw==";
    };

should be changed to:

    key "remote_rndc_key" {
        algorithm hmac-md5;
        secret "lWB9P5pwaqO3FEb7GsFZkw==";
    };
1
ScifiBob On

I got this error today on my "hidden primary" Bind dns server, and wasted a couple of hours to find the reason for the failure.

At the end, I got tired and tried again, and then it worked.

So my advice is: Try again, it may be a bug.