Re: How to update zone with dnssec-policy (error with nsupdate: RRset exists)
Hi, Disabling inline-signing is a good workaround. The issue is that BIND with inline-signing maintains a signed file separately and needs to bump the SOA SERIAL. The serial queried is for the DNSSEC signed zone, but the dynamic update is done against the unsigned version of the zone. Hence the prereq yxrrset failure. There is a related issue on our gitlab about this: https://gitlab.isc.org/isc-projects/bind9/-/issues/4352 Best regards, Matthijs On 10/24/23 08:13, Matthias Fechner wrote: Am 08.07.2023 um 08:48 schrieb Matthias Fechner: If I try now to update some records remotely on the server I see in the log of the server: ==> /var/named/var/log/named.log <== 08-Jul-2023 07:40:22.962 update-security: info: client @0x848ac0760 93.182.104.69#18475/key idefix.fechner.net-beta.fechner.net: signer "idefix.fechner.net-beta.fechner.net" approved 08-Jul-2023 07:40:22.962 update: info: client @0x848ac0760 93.182.104.69#18475/key idefix.fechner.net-beta.fechner.net: updating zone 'fechner.net/IN': update unsuccessful: fechner.net/SOA: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) What I did is at first execute nsdiff to control if the changes are making sense with: nsdiff -k ../.key fechner.net fechner.net ``` nsdiff: loading zone fechner.net. via AXFR from ns.fechner.net. zone fechner.net/IN: loaded serial 2023070228 (DNSSEC signed) OK nsdiff: loading zone fechner.net. from file fechner.net zone fechner.net/IN: loaded serial 2023070201 OK prereq yxrrset fechner.net. IN SOA ns.fechner.net. hostmaster.fechner.net. 2023070228 43200 7200 1814400 86400 update add fechner.net. 300 IN SOA ns.fechner.net. hostmaster.fechner.net. 2023070229 43200 7200 1814400 86400 update delete fechner.net. IN TXT "v=spf1 a mx a:anny.lostinspace.de mx:freebsd.org a:mx2.freebsd.org ~all" update add fechner.net. 300 IN TXT "v=spf1 a mx a:anny.lostinspace.de a:beta.fechner.net mx:freebsd.org a:mx2.freebsd.org ~all" update delete gitlab.fechner.net. IN TXT "v=spf1 a mx a:anny.lostinspace.de -all" update add gitlab.fechner.net. 300 IN TXT "v=spf1 a mx a:anny.lostinspace.de a:beta.fechner.net -all" update delete ark.fechner.net. IN TXT "v=spf1 a mx a:anny.lostinspace.de -all" update add ark.fechner.net. 300 IN TXT "v=spf1 a mx a:anny.lostinspace.de a:beta.fechner.net -all" update delete news.fechner.net. IN TXT "v=spf1 a mx a:anny.lostinspace.de -all" update add news.fechner.net. 300 IN TXT "v=spf1 a mx a:anny.lostinspace.de a:beta.fechner.net -all" send answer ``` So I tried to chain nsupdate to it with: nsdiff -k ../.key fechner.net fechner.net | nsupdate -k ../.key ``` nsdiff: loading zone fechner.net. via AXFR from ns.fechner.net. zone fechner.net/IN: loaded serial 2023070228 (DNSSEC signed) OK nsdiff: loading zone fechner.net. from file fechner.net zone fechner.net/IN: loaded serial 2023070201 OK update failed: NXRRSET Answer: ;; ->>HEADER<<- opcode: UPDATE, status: NXRRSET, id: 14683 ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;fechner.net. IN SOA ;; TSIG PSEUDOSECTION: idefix.fechner.net-beta.fechner.net. 0 ANY TSIG hmac-sha256. 1688794822 300 32 re/dNrsChdUQSyzMox2O+uAQWJG7+LBWNkS19QmJ48U= 14683 NOERROR 0 ``` anyone an idea what can cause this? if anyone else has these problems, I need to disable inline-signing: inline-signing no; after this, it is working perfectly fine. Gruß Matthias -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to update zone with dnssec-policy (error with nsupdate: RRset exists)
Am 08.07.2023 um 08:48 schrieb Matthias Fechner: If I try now to update some records remotely on the server I see in the log of the server: ==> /var/named/var/log/named.log <== 08-Jul-2023 07:40:22.962 update-security: info: client @0x848ac0760 93.182.104.69#18475/key idefix.fechner.net-beta.fechner.net: signer "idefix.fechner.net-beta.fechner.net" approved 08-Jul-2023 07:40:22.962 update: info: client @0x848ac0760 93.182.104.69#18475/key idefix.fechner.net-beta.fechner.net: updating zone 'fechner.net/IN': update unsuccessful: fechner.net/SOA: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) What I did is at first execute nsdiff to control if the changes are making sense with: nsdiff -k ../.key fechner.net fechner.net ``` nsdiff: loading zone fechner.net. via AXFR from ns.fechner.net. zone fechner.net/IN: loaded serial 2023070228 (DNSSEC signed) OK nsdiff: loading zone fechner.net. from file fechner.net zone fechner.net/IN: loaded serial 2023070201 OK prereq yxrrset fechner.net. IN SOA ns.fechner.net. hostmaster.fechner.net. 2023070228 43200 7200 1814400 86400 update add fechner.net. 300 IN SOA ns.fechner.net. hostmaster.fechner.net. 2023070229 43200 7200 1814400 86400 update delete fechner.net. IN TXT "v=spf1 a mx a:anny.lostinspace.de mx:freebsd.org a:mx2.freebsd.org ~all" update add fechner.net. 300 IN TXT "v=spf1 a mx a:anny.lostinspace.de a:beta.fechner.net mx:freebsd.org a:mx2.freebsd.org ~all" update delete gitlab.fechner.net. IN TXT "v=spf1 a mx a:anny.lostinspace.de -all" update add gitlab.fechner.net. 300 IN TXT "v=spf1 a mx a:anny.lostinspace.de a:beta.fechner.net -all" update delete ark.fechner.net. IN TXT "v=spf1 a mx a:anny.lostinspace.de -all" update add ark.fechner.net. 300 IN TXT "v=spf1 a mx a:anny.lostinspace.de a:beta.fechner.net -all" update delete news.fechner.net. IN TXT "v=spf1 a mx a:anny.lostinspace.de -all" update add news.fechner.net. 300 IN TXT "v=spf1 a mx a:anny.lostinspace.de a:beta.fechner.net -all" send answer ``` So I tried to chain nsupdate to it with: nsdiff -k ../.key fechner.net fechner.net | nsupdate -k ../.key ``` nsdiff: loading zone fechner.net. via AXFR from ns.fechner.net. zone fechner.net/IN: loaded serial 2023070228 (DNSSEC signed) OK nsdiff: loading zone fechner.net. from file fechner.net zone fechner.net/IN: loaded serial 2023070201 OK update failed: NXRRSET Answer: ;; ->>HEADER<<- opcode: UPDATE, status: NXRRSET, id: 14683 ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;fechner.net. IN SOA ;; TSIG PSEUDOSECTION: idefix.fechner.net-beta.fechner.net. 0 ANY TSIG hmac-sha256. 1688794822 300 32 re/dNrsChdUQSyzMox2O+uAQWJG7+LBWNkS19QmJ48U= 14683 NOERROR 0 ``` anyone an idea what can cause this? if anyone else has these problems, I need to disable inline-signing: inline-signing no; after this, it is working perfectly fine. Gruß Matthias -- "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning." -- Rich Cook -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to update zone with dnssec-policy (error with nsupdate: RRset exists)
Am 05.07.2023 um 13:13 schrieb Matthias Fechner: So far, nsdiff generates expected output, next step is now to apply the changes in an automated way. If I try now to update some records remotely on the server I see in the log of the server: ==> /var/named/var/log/named.log <== 08-Jul-2023 07:40:22.962 update-security: info: client @0x848ac0760 93.182.104.69#18475/key idefix.fechner.net-beta.fechner.net: signer "idefix.fechner.net-beta.fechner.net" approved 08-Jul-2023 07:40:22.962 update: info: client @0x848ac0760 93.182.104.69#18475/key idefix.fechner.net-beta.fechner.net: updating zone 'fechner.net/IN': update unsuccessful: fechner.net/SOA: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) What I did is at first execute nsdiff to control if the changes are making sense with: nsdiff -k ../.key fechner.net fechner.net ``` nsdiff: loading zone fechner.net. via AXFR from ns.fechner.net. zone fechner.net/IN: loaded serial 2023070228 (DNSSEC signed) OK nsdiff: loading zone fechner.net. from file fechner.net zone fechner.net/IN: loaded serial 2023070201 OK prereq yxrrset fechner.net. IN SOA ns.fechner.net. hostmaster.fechner.net. 2023070228 43200 7200 1814400 86400 update add fechner.net. 300 IN SOA ns.fechner.net. hostmaster.fechner.net. 2023070229 43200 7200 1814400 86400 update delete fechner.net. IN TXT "v=spf1 a mx a:anny.lostinspace.de mx:freebsd.org a:mx2.freebsd.org ~all" update add fechner.net. 300 IN TXT "v=spf1 a mx a:anny.lostinspace.de a:beta.fechner.net mx:freebsd.org a:mx2.freebsd.org ~all" update delete gitlab.fechner.net. IN TXT "v=spf1 a mx a:anny.lostinspace.de -all" update add gitlab.fechner.net. 300 IN TXT "v=spf1 a mx a:anny.lostinspace.de a:beta.fechner.net -all" update delete ark.fechner.net. IN TXT "v=spf1 a mx a:anny.lostinspace.de -all" update add ark.fechner.net. 300 IN TXT "v=spf1 a mx a:anny.lostinspace.de a:beta.fechner.net -all" update delete news.fechner.net. IN TXT "v=spf1 a mx a:anny.lostinspace.de -all" update add news.fechner.net. 300 IN TXT "v=spf1 a mx a:anny.lostinspace.de a:beta.fechner.net -all" send answer ``` So I tried to chain nsupdate to it with: nsdiff -k ../.key fechner.net fechner.net | nsupdate -k ../.key ``` nsdiff: loading zone fechner.net. via AXFR from ns.fechner.net. zone fechner.net/IN: loaded serial 2023070228 (DNSSEC signed) OK nsdiff: loading zone fechner.net. from file fechner.net zone fechner.net/IN: loaded serial 2023070201 OK update failed: NXRRSET Answer: ;; ->>HEADER<<- opcode: UPDATE, status: NXRRSET, id: 14683 ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;fechner.net. IN SOA ;; TSIG PSEUDOSECTION: idefix.fechner.net-beta.fechner.net. 0 ANY TSIG hmac-sha256. 1688794822 300 32 re/dNrsChdUQSyzMox2O+uAQWJG7+LBWNkS19QmJ48U= 14683 NOERROR 0 ``` anyone an idea what can cause this? Gruß Matthias -- "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning." -- Rich Cook -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
