5 Říj
2015
5 Říj
'15
21:29
Hi!
In the last few days I have tried a new service for DDNS, nsupdate.info.
I have some problems with the service and I have been able to reproduce the
problem in a small sample script.
The attached script does update my bind9 instance but reports SERVFAIL for
Knot.
Unfortunately I still have not been able to get Knot to write more
extensive log entries.
The script uses the Python dns library from Nominum.
This is the output of the script (first update to bind then to knot)
$ python example.py
performing add for name ddns.example.com and origin example.com with rdtype
A and ipaddr 2.3.4.5
performing add for name ddns.example.com and origin example.com with rdtype
A and ipaddr 2.3.4.5
DNS error [SERVFAIL] performing add for name ddns.example.com and origin
example.com with rdtype A and ipaddr 2.3.4.5
Knot didn't log anything at all. (Any hints for that config would be
welcome.) Bind did log the following
Oct 5 21:07:49 localhost named[23792]: client beef::cafe#59322/key
example.com: updating zone 'example.com/IN': adding an RR at '
ddns.example.com.' A
Some error in the script? Could someone point me to a working script?
Any hints are welcome!
Kind regards from Stockholm
Ulrich
--
Ulrich Wisser
ulrich(a)wisser.se
5 Říj
5 Říj
22:09
On 05 Oct 2015, at 21:29, Ulrich Wisser <ulrich(a)wisser.se> wrote:
The attached script does update my bind9 instance but
reports SERVFAIL for Knot.
That would point towards your knot config. Perhaps if you share it (sans keys of course)
someone might spot something.
I have DDNS working with knot v1 so I can compare configs if you happen to still be on v1.
I also posted something a few months back about the problems I was having and what I did
to get it going which may help. I don’t know how much this applies to v2 as I haven’t got
there yet.
I am sending updates by calling knsupdate from a shell script.
Andrew
23:18
Updating through knsupdate is no problem at all. With knsupdate I can
actually update bind9 and knot. The problem is with the script somehow
working for bind and not working for knot.
knsupdate -y hmac-sha256:example.com.:SECRET
server bad::dad
zone example.com
del ddns.example.com. 300 IN A 3.4.5.6
send
server dead::beef
zone example.com
del ddns.example.com. 300 IN A 3.4.5.6
send
Does update bind9 and knot. My knot version is 2.1.0-dev
My knot.conf
log:
# Log info and more serious events to syslog.
- target: syslog
any: debug
key:
- id: example.com.
algorithm: hmac-sha256
secret: SECRET
acl:
- id: nsupdate_acl
key: example.com.
action: update
template:
- id: default
storage: /var/lib/knot
semantic-checks: on
dnssec-signing: on
kasp-db: /var/lib/knot/kasp
zone:
- domain: example.com
file: "example.com.zone"
acl: [nsupdate_acl]
Andrew Stevenson <andrew(a)ugh.net.au> schrieb am Mo., 5. Okt. 2015 um
22:09 Uhr:
On 05 Oct 2015, at 21:29, Ulrich Wisser
<ulrich(a)wisser.se> wrote:
The attached script does update my bind9 instance but reports SERVFAIL for
Knot.
That would point towards your knot config. Perhaps if you share it (sans
keys of course) someone might spot something.
I have DDNS working with knot v1 so I can compare configs if you happen to
still be on v1. I also posted something a few months back about the
problems I was having and what I did to get it going which may help. I
don’t know how much this applies to v2 as I haven’t got there yet.
I am sending updates by calling knsupdate from a shell script.
Andrew
--
Ulrich Wisser
ulrich(a)wisser.se
6 Říj
6 Říj
1:04
On 05 Oct 2015, at 23:18, Ulrich Wisser <ulrich(a)wisser.se> wrote:
Updating through knsupdate is no problem at all. With
knsupdate I can actually update bind9 and knot. The problem is with the script somehow
working for bind and not working for knot.
In that case have you tried comparing the 2 packets and seeing what is different?
Andrew
9:26
Any ideas why knot doesn't write anything to syslog?
My logging config is
log:
- target: syslog
server: debug
zone: debug
any: debug
Andrew Stevenson <andrew(a)ugh.net.au> schrieb am Di., 6. Okt. 2015 um
01:04 Uhr:
On 05 Oct 2015, at 23:18, Ulrich Wisser <ulrich(a)wisser.se> wrote:
--
Ulrich Wisser
ulrich(a)wisser.se
Updating through knsupdate is no problem at all.
With knsupdate I can
actually update bind9 and knot. The problem is with the script
somehow
working for bind and not working for knot.
In that case have you tried comparing the 2 packets and seeing what is
different?
Andrew 
7 Říj
7 Říj
19:36
Hi Ulrich.
On Tuesday, October 06, 2015 07:26:25 AM Ulrich Wisser wrote:
Any ideas why knot doesn't write anything to
syslog?
The configuration looks fine. It works for me. Are you running systemd? Which
version of Knot DNS do you have? Is it a version from packages or a custom
built one?
Regards,
Jan
22:59
Knot is started with systemd. I just restarted knot with
service knot restart
Now I do get somewhat more log entries but no logging for failed updates.
When I use the correct key knot logs an successful update, but with a wrong
key nothing is logged although the client receives a BadKey response.
/Ulrich
Jan Včelák <jan.vcelak(a)nic.cz> schrieb am Mi., 7. Okt. 2015 um 19:36 Uhr:
Hi Ulrich.
On Tuesday, October 06, 2015 07:26:25 AM Ulrich Wisser wrote:
--
Ulrich Wisser
ulrich(a)wisser.se
Any ideas why knot doesn't write anything to
syslog?
The configuration looks fine. It works for me. Are you running systemd?
Which
version of Knot DNS do you have? Is it a version from packages or a custom
built one?
Regards,
Jan
8 Říj
8 Říj
9:17
Hi,
Currently, Knot doesn't log queries (updates) with an invalid TSIG.
D
On 10/07/2015 10:59 PM, Ulrich Wisser wrote:
Knot is started with systemd. I just restarted knot
with
service knot restart
Now I do get somewhat more log entries but no logging for failed updates.
When I use the correct key knot logs an successful update, but with a wrong key nothing
is logged although the client receives a BadKey response.
/Ulrich
Jan Včelák <jan.vcelak(a)nic.cz <mailto:jan.vcelak@nic.cz>> schrieb am Mi., 7.
Okt. 2015 um 19:36 Uhr:
Hi Ulrich.
On Tuesday, October 06, 2015 07:26:25 AM Ulrich Wisser wrote:
Any ideas why knot doesn't write anything to
syslog?
The configuration looks fine. It works for me. Are you running systemd? Which
version of Knot DNS do you have? Is it a version from packages or a custom
built one?
Regards,
Jan
--
Ulrich Wisser
ulrich(a)wisser.se <mailto:ulrich@wisser.se>
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
10:56
Hello Ulrich.
On Wednesday, October 07, 2015 08:59:50 PM Ulrich Wisser wrote:
Now I do get somewhat more log entries but no logging
for failed updates.
When I use the correct key knot logs an successful update, but with a wrong
key nothing is logged although the client receives a BadKey response.
We just discussed this with the rest of the team. And we agreed that logging
of the failures would be useful. It will be implemented soon.
Here is the ticket: https://gitlab.labs.nic.cz/labs/knot/issues/431
Cheers,
Jan
11:33
Great! How about the key name being the same as the zone name. Will that be
fixed too?
/Ulrich
Jan Včelák <jan.vcelak(a)nic.cz> schrieb am Do., 8. Okt. 2015 um 10:56 Uhr:
Hello Ulrich.
On Wednesday, October 07, 2015 08:59:50 PM Ulrich Wisser wrote:
Ulrich Wisser
ulrich(a)wisser.se
Now I do get somewhat more log entries but no
logging for failed updates.
When I use the correct key knot logs an successful update, but with a
wrong
key nothing is logged although the client
receives a BadKey response.
We just discussed this with the rest of the team. And we agreed that
logging
of the failures would be useful. It will be implemented soon.
Here is the ticket: https://gitlab.labs.nic.cz/labs/knot/issues/431
Cheers,
Jan
--
11:35
Yes, I am working hard on that :-)
D
On 10/08/2015 11:33 AM, Ulrich Wisser wrote:
Great! How about the key name being the same as the
zone name. Will that be fixed too?
/Ulrich
Jan Včelák <jan.vcelak(a)nic.cz <mailto:jan.vcelak@nic.cz>> schrieb am Do., 8.
Okt. 2015 um 10:56 Uhr:
Hello Ulrich.
On Wednesday, October 07, 2015 08:59:50 PM Ulrich Wisser wrote:
Now I do get somewhat more log entries but no
logging for failed updates.
When I use the correct key knot logs an successful update, but with a wrong
key nothing is logged although the client receives a BadKey response.
We just discussed this with the rest of the team. And we agreed that logging
of the failures would be useful. It will be implemented soon.
Here is the ticket: https://gitlab.labs.nic.cz/labs/knot/issues/431
Cheers,
Jan
--
Ulrich Wisser
ulrich(a)wisser.se <mailto:ulrich@wisser.se>
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
11:35
+1
Daniel Salzman <daniel.salzman(a)nic.cz> schrieb am Do., 8. Okt. 2015 um
11:35 Uhr:
Yes, I am working hard on that :-)
D
On 10/08/2015 11:33 AM, Ulrich Wisser wrote:
Great! How about the key name being the same as the zone name. Will that
be fixed too?
/Ulrich
Jan Včelák <jan.vcelak(a)nic.cz> schrieb am Do., 8. Okt. 2015 um 10:56 Uhr:
--
Ulrich Wisser
ulrich(a)wisser.se
Hello Ulrich.
On Wednesday, October 07, 2015 08:59:50 PM Ulrich Wisser wrote:
Ulrich Wisser
ulrich(a)wisser.se
_______________________________________________
knot-dns-users mailing
listknot-dns-users@lists.nic.czhttps://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
Now I do get somewhat more log entries but no
logging for failed
updates.
When I use the correct key knot logs an
successful update, but with a
wrong
key nothing is logged although the client
receives a BadKey response.
We just discussed this with the rest of the team. And we agreed that
logging
of the failures would be useful. It will be implemented soon.
Here is the ticket: https://gitlab.labs.nic.cz/labs/knot/issues/431
Cheers,
Jan
--
6 Říj
6 Říj
11:09
Hi Ulrich,
It seems there is a specific problem with the dname compression in the TSIG processing.
Compression is the difference between knsupdate and the Python script. As a workaround,
you
could try to set a different key name.
Dan
On 10/05/2015 09:29 PM, Ulrich Wisser wrote:
Hi!
In the last few days I have tried a new service for DDNS, nsupdate.info
<http://nsupdate.info>.
I have some problems with the service and I have been able to reproduce the problem in a
small sample script.
The attached script does update my bind9 instance but reports SERVFAIL for Knot.
Unfortunately I still have not been able to get Knot to write more extensive log
entries.
The script uses the Python dns library from Nominum.
This is the output of the script (first update to bind then to knot)
$ python example.py
performing add for name ddns.example.com <http://ddns.example.com> and origin
example.com <http://example.com> with rdtype A and ipaddr 2.3.4.5
performing add for name ddns.example.com <http://ddns.example.com> and origin
example.com <http://example.com> with rdtype A and ipaddr 2.3.4.5
DNS error [SERVFAIL] performing add for name ddns.example.com
<http://ddns.example.com> and origin example.com <http://example.com> with
rdtype A and ipaddr 2.3.4.5
Knot didn't log anything at all. (Any hints for that config would be welcome.) Bind
did log the following
Oct 5 21:07:49 localhost named[23792]: client beef::cafe#59322/key example.com
<http://example.com>: updating zone 'example.com/IN
<http://example.com/IN>': adding an RR at 'ddns.example.com
<http://ddns.example.com>.' A
Some error in the script? Could someone point me to a working script?
Any hints are welcome!
Kind regards from Stockholm
Ulrich
--
Ulrich Wisser
ulrich(a)wisser.se <mailto:ulrich@wisser.se>
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
11:35
Thank you Dan!
The name change for the key did the trick.
/Ulrich
Daniel Salzman <daniel.salzman(a)nic.cz> schrieb am Di., 6. Okt. 2015 um
11:09 Uhr:
Hi Ulrich,
It seems there is a specific problem with the dname compression in the
TSIG processing.
Compression is the difference between knsupdate and the Python script. As
a workaround, you
could try to set a different key name.
Dan
On 10/05/2015 09:29 PM, Ulrich Wisser wrote:
Hi!
In the last few days I have tried a new service for DDNS, nsupdate.info.
I have some problems with the service and I have been able to reproduce
the problem in a small sample script.
The attached script does update my bind9 instance but reports SERVFAIL for
Knot.
Unfortunately I still have not been able to get Knot to write more
extensive log entries.
The script uses the Python dns library from Nominum.
This is the output of the script (first update to bind then to knot)
$ python example.py
performing add for name ddns.example.com and origin example.com with
rdtype A and ipaddr 2.3.4.5
performing add for name ddns.example.com and origin example.com with
rdtype A and ipaddr 2.3.4.5
DNS error [SERVFAIL] performing add for name ddns.example.com and origin
example.com with rdtype A and ipaddr 2.3.4.5
Knot didn't log anything at all. (Any hints for that config would be
welcome.) Bind did log the following
Oct 5 21:07:49 localhost named[23792]: client beef::cafe#59322/key
example.com: updating zone 'example.com/IN': adding an RR at '
ddns.example.com.' A
Some error in the script? Could someone point me to a working script?
Any hints are welcome!
Kind regards from Stockholm
Ulrich
--
Ulrich Wisser
ulrich(a)wisser.se
_______________________________________________
knot-dns-users mailing
listknot-dns-users@lists.nic.czhttps://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
--
Ulrich Wisser
ulrich(a)wisser.se
3332
days inactive
3335
days old
13 comments
4 participants
participants (4)
-
Andrew Stevenson -
Daniel Salzman -
Jan Včelák -
Ulrich Wisser