Rex::DNS::Bind - tsig verify failure (BADKEY)

[jcr...@indigital.net]

Hello,

I am attempting to use Rex::DNS::Biind for the first time.  I am on Rex version 1.32.

My Rexfile contains:

use Rex::DNS::Bind;

set dns => {
        server => "192.168.17.120",
        key_name => "/etc/rexdns.key",
        key => "/QD4iWFufzTJStYMq+BPDmlnEPvSREQZmIOxAZPY+vU=",
};

task addDNS => sub {
Rex::DNS::Bind::add_record(
    domain => "indigitaldev.net",
    host   => "myhost",
    data   => "127.0.3.1",
    type   => "A",
 )};


The named.conf on the DNS server contains:

zone "indigitaldev.net" IN {
type master;
file "/var/named/indigitaldev.net";
allow-transfer { trusted-servers; };
update-policy {
grant rex zonesub ANY;
};

};

zone "17.168.192.in-addr.arpa" IN {
type master;
file "/var/named/indigitaldev.rr.net";
allow-transfer { trusted-servers; };
update-policy {
grant rex zonesub ANY;
};

};

acl trusted-servers {
192.168.17.129;
127.0.0.1;
};

controls {
inet 127.0.0.1 port 953 allow { any; }
keys { "rex"; };
};

key "rex" {
algorithm hmac-md5;
secret "QD4iWFufzTJStYMq+BPDmlnEPvSREQZmIOxAZPY+vU=";
};


I can do a nsupdate -k /etc/rexdns.key -v update.txt  and add an RR just fine.  So, I know the key works.

Any tips on where to look next would be appreciated.

Thanks,

Jeff

[Ferenc Erki]

hi,

sorry, it's a bit hard to say anything overly useful without knowing what command did you execute, and what kind of problem did you experience (what happens? what was the expectation? were there and error messages? etc.).

On the other hand, I _think_ the "key_name" is not the _filename_ of the key, just the name of the key in the BIND config you would like to accept.

If you continue to having problems with it, I would suggest opening an issue about it in the github repo of the module.

hope this helps,

FErki

[Jeffrey Creek]

Hi,

When I attempt to run the addDNS task in my Rexfile, it gives me the following error:
[2015-09-04 12:38:43] ERROR - Error executing task:
[2015-09-04 12:38:43] ERROR - NOTAUTH at /loader/0xffa320/Rex/DNS/Bind.pm line 133.

On the DNS server in /var/log/messages I see:
Sep  4 12:38:42 dns1 named[2719]: client 192.168.17.129#32847: request has invalid signature: TSIG rex: tsig verify failure (BADSIG)

I have tried to change the key_name in my Rexfile task to "rex", which is the name of the key in my BIND configuration.

Thanks,

Jeff

--
You received this message because you are subscribed to a topic in the Google Groups "Rex Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rex-users/frqxqWcPvEo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rex-users+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Jeff Creek

INdigital Telecom

[jcr...@indigital.net]

Hi,

I have this working now.  While troubleshooting I had changed the key.  The fix was to have the right key and use the key_name that matches the BIND configuration.

Thanks

Jeff

[Ferenc Erki]

hi,

thanks for the update!

Looks like the call to Net::DNS::Update->send() fails with a NOTAUTH response, which AFAIK means that the nameserver is not authoritative for the requested zone. According to the documentation of Net::DNS::Codes, it is a response code of 9 from the underlying C library.

On the other hand, the bind server suggests it's more if a signature verification problems.

I _think_ it can be solved by finding the proper parameters, but I'm not sure how to continue with debugging this.

hope this helps,

FErki

[Ferenc Erki]

Ah, cool, just missed your latest message while writing my response. I'm glad it worked out!

If you think the module's documentation can be improved, feel free to open an issue about that (or even send the suggested changes ;)

cheers,

FErki