Re: How to update zone with dnssec-policy (error with nsupdate: RRset exists)
Hi, Disabling inline-signing is a good workaround. The issue is that BIND with inline-signing maintains a signed file separately and needs to bump the SOA SERIAL. The serial queried is for the DNSSEC signed zone, but the dynamic update is done against the unsigned version of the zone. Hence the prereq yxrrset failure. There is a related issue on our gitlab about this: https://gitlab.isc.org/isc-projects/bind9/-/issues/4352 Best regards, Matthijs On 10/24/23 08:13, Matthias Fechner wrote: Am 08.07.2023 um 08:48 schrieb Matthias Fechner: If I try now to update some records remotely on the server I see in the log of the server: ==> /var/named/var/log/named.log <== 08-Jul-2023 07:40:22.962 update-security: info: client @0x848ac0760 93.182.104.69#18475/key idefix.fechner.net-beta.fechner.net: signer "idefix.fechner.net-beta.fechner.net" approved 08-Jul-2023 07:40:22.962 update: info: client @0x848ac0760 93.182.104.69#18475/key idefix.fechner.net-beta.fechner.net: updating zone 'fechner.net/IN': update unsuccessful: fechner.net/SOA: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) What I did is at first execute nsdiff to control if the changes are making sense with: nsdiff -k ../.key fechner.net fechner.net ``` nsdiff: loading zone fechner.net. via AXFR from ns.fechner.net. zone fechner.net/IN: loaded serial 2023070228 (DNSSEC signed) OK nsdiff: loading zone fechner.net. from file fechner.net zone fechner.net/IN: loaded serial 2023070201 OK prereq yxrrset fechner.net. IN SOA ns.fechner.net. hostmaster.fechner.net. 2023070228 43200 7200 1814400 86400 update add fechner.net. 300 IN SOA ns.fechner.net. hostmaster.fechner.net. 2023070229 43200 7200 1814400 86400 update delete fechner.net. IN TXT "v=spf1 a mx a:anny.lostinspace.de mx:freebsd.org a:mx2.freebsd.org ~all" update add fechner.net. 300 IN TXT "v=spf1 a mx a:anny.lostinspace.de a:beta.fechner.net mx:freebsd.org a:mx2.freebsd.org ~all" update delete gitlab.fechner.net. IN TXT "v=spf1 a mx a:anny.lostinspace.de -all" update add gitlab.fechner.net. 300 IN TXT "v=spf1 a mx a:anny.lostinspace.de a:beta.fechner.net -all" update delete ark.fechner.net. IN TXT "v=spf1 a mx a:anny.lostinspace.de -all" update add ark.fechner.net. 300 IN TXT "v=spf1 a mx a:anny.lostinspace.de a:beta.fechner.net -all" update delete news.fechner.net. IN TXT "v=spf1 a mx a:anny.lostinspace.de -all" update add news.fechner.net. 300 IN TXT "v=spf1 a mx a:anny.lostinspace.de a:beta.fechner.net -all" send answer ``` So I tried to chain nsupdate to it with: nsdiff -k ../.key fechner.net fechner.net | nsupdate -k ../.key ``` nsdiff: loading zone fechner.net. via AXFR from ns.fechner.net. zone fechner.net/IN: loaded serial 2023070228 (DNSSEC signed) OK nsdiff: loading zone fechner.net. from file fechner.net zone fechner.net/IN: loaded serial 2023070201 OK update failed: NXRRSET Answer: ;; ->>HEADER<<- opcode: UPDATE, status: NXRRSET, id: 14683 ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;fechner.net. IN SOA ;; TSIG PSEUDOSECTION: idefix.fechner.net-beta.fechner.net. 0 ANY TSIG hmac-sha256. 1688794822 300 32 re/dNrsChdUQSyzMox2O+uAQWJG7+LBWNkS19QmJ48U= 14683 NOERROR 0 ``` anyone an idea what can cause this? if anyone else has these problems, I need to disable inline-signing: inline-signing no; after this, it is working perfectly fine. Gruß Matthias -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to update zone with dnssec-policy (error with nsupdate: RRset exists)
Am 08.07.2023 um 08:48 schrieb Matthias Fechner: If I try now to update some records remotely on the server I see in the log of the server: ==> /var/named/var/log/named.log <== 08-Jul-2023 07:40:22.962 update-security: info: client @0x848ac0760 93.182.104.69#18475/key idefix.fechner.net-beta.fechner.net: signer "idefix.fechner.net-beta.fechner.net" approved 08-Jul-2023 07:40:22.962 update: info: client @0x848ac0760 93.182.104.69#18475/key idefix.fechner.net-beta.fechner.net: updating zone 'fechner.net/IN': update unsuccessful: fechner.net/SOA: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) What I did is at first execute nsdiff to control if the changes are making sense with: nsdiff -k ../.key fechner.net fechner.net ``` nsdiff: loading zone fechner.net. via AXFR from ns.fechner.net. zone fechner.net/IN: loaded serial 2023070228 (DNSSEC signed) OK nsdiff: loading zone fechner.net. from file fechner.net zone fechner.net/IN: loaded serial 2023070201 OK prereq yxrrset fechner.net. IN SOA ns.fechner.net. hostmaster.fechner.net. 2023070228 43200 7200 1814400 86400 update add fechner.net. 300 IN SOA ns.fechner.net. hostmaster.fechner.net. 2023070229 43200 7200 1814400 86400 update delete fechner.net. IN TXT "v=spf1 a mx a:anny.lostinspace.de mx:freebsd.org a:mx2.freebsd.org ~all" update add fechner.net. 300 IN TXT "v=spf1 a mx a:anny.lostinspace.de a:beta.fechner.net mx:freebsd.org a:mx2.freebsd.org ~all" update delete gitlab.fechner.net. IN TXT "v=spf1 a mx a:anny.lostinspace.de -all" update add gitlab.fechner.net. 300 IN TXT "v=spf1 a mx a:anny.lostinspace.de a:beta.fechner.net -all" update delete ark.fechner.net. IN TXT "v=spf1 a mx a:anny.lostinspace.de -all" update add ark.fechner.net. 300 IN TXT "v=spf1 a mx a:anny.lostinspace.de a:beta.fechner.net -all" update delete news.fechner.net. IN TXT "v=spf1 a mx a:anny.lostinspace.de -all" update add news.fechner.net. 300 IN TXT "v=spf1 a mx a:anny.lostinspace.de a:beta.fechner.net -all" send answer ``` So I tried to chain nsupdate to it with: nsdiff -k ../.key fechner.net fechner.net | nsupdate -k ../.key ``` nsdiff: loading zone fechner.net. via AXFR from ns.fechner.net. zone fechner.net/IN: loaded serial 2023070228 (DNSSEC signed) OK nsdiff: loading zone fechner.net. from file fechner.net zone fechner.net/IN: loaded serial 2023070201 OK update failed: NXRRSET Answer: ;; ->>HEADER<<- opcode: UPDATE, status: NXRRSET, id: 14683 ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;fechner.net. IN SOA ;; TSIG PSEUDOSECTION: idefix.fechner.net-beta.fechner.net. 0 ANY TSIG hmac-sha256. 1688794822 300 32 re/dNrsChdUQSyzMox2O+uAQWJG7+LBWNkS19QmJ48U= 14683 NOERROR 0 ``` anyone an idea what can cause this? if anyone else has these problems, I need to disable inline-signing: inline-signing no; after this, it is working perfectly fine. Gruß Matthias -- "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning." -- Rich Cook -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to update zone with dnssec-policy (error with nsupdate: RRset exists)
Am 05.07.2023 um 13:13 schrieb Matthias Fechner: So far, nsdiff generates expected output, next step is now to apply the changes in an automated way. If I try now to update some records remotely on the server I see in the log of the server: ==> /var/named/var/log/named.log <== 08-Jul-2023 07:40:22.962 update-security: info: client @0x848ac0760 93.182.104.69#18475/key idefix.fechner.net-beta.fechner.net: signer "idefix.fechner.net-beta.fechner.net" approved 08-Jul-2023 07:40:22.962 update: info: client @0x848ac0760 93.182.104.69#18475/key idefix.fechner.net-beta.fechner.net: updating zone 'fechner.net/IN': update unsuccessful: fechner.net/SOA: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) What I did is at first execute nsdiff to control if the changes are making sense with: nsdiff -k ../.key fechner.net fechner.net ``` nsdiff: loading zone fechner.net. via AXFR from ns.fechner.net. zone fechner.net/IN: loaded serial 2023070228 (DNSSEC signed) OK nsdiff: loading zone fechner.net. from file fechner.net zone fechner.net/IN: loaded serial 2023070201 OK prereq yxrrset fechner.net. IN SOA ns.fechner.net. hostmaster.fechner.net. 2023070228 43200 7200 1814400 86400 update add fechner.net. 300 IN SOA ns.fechner.net. hostmaster.fechner.net. 2023070229 43200 7200 1814400 86400 update delete fechner.net. IN TXT "v=spf1 a mx a:anny.lostinspace.de mx:freebsd.org a:mx2.freebsd.org ~all" update add fechner.net. 300 IN TXT "v=spf1 a mx a:anny.lostinspace.de a:beta.fechner.net mx:freebsd.org a:mx2.freebsd.org ~all" update delete gitlab.fechner.net. IN TXT "v=spf1 a mx a:anny.lostinspace.de -all" update add gitlab.fechner.net. 300 IN TXT "v=spf1 a mx a:anny.lostinspace.de a:beta.fechner.net -all" update delete ark.fechner.net. IN TXT "v=spf1 a mx a:anny.lostinspace.de -all" update add ark.fechner.net. 300 IN TXT "v=spf1 a mx a:anny.lostinspace.de a:beta.fechner.net -all" update delete news.fechner.net. IN TXT "v=spf1 a mx a:anny.lostinspace.de -all" update add news.fechner.net. 300 IN TXT "v=spf1 a mx a:anny.lostinspace.de a:beta.fechner.net -all" send answer ``` So I tried to chain nsupdate to it with: nsdiff -k ../.key fechner.net fechner.net | nsupdate -k ../.key ``` nsdiff: loading zone fechner.net. via AXFR from ns.fechner.net. zone fechner.net/IN: loaded serial 2023070228 (DNSSEC signed) OK nsdiff: loading zone fechner.net. from file fechner.net zone fechner.net/IN: loaded serial 2023070201 OK update failed: NXRRSET Answer: ;; ->>HEADER<<- opcode: UPDATE, status: NXRRSET, id: 14683 ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;fechner.net. IN SOA ;; TSIG PSEUDOSECTION: idefix.fechner.net-beta.fechner.net. 0 ANY TSIG hmac-sha256. 1688794822 300 32 re/dNrsChdUQSyzMox2O+uAQWJG7+LBWNkS19QmJ48U= 14683 NOERROR 0 ``` anyone an idea what can cause this? Gruß Matthias -- "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning." -- Rich Cook -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to update zone with dnssec-policy
Hi Nick, Am 04.07.2023 um 08:17 schrieb Nick Tait via bind-users: It looks like nobody solved your /original/ problem? If you are still looking for an answer it might help if you posted some logs? The people on this list are good at interpreting any errors you're seeing. :-) thanks a lot for your answer. Yes I do not got an answer to my question, but if I use another process to work-around the problem is also fine. And using nsdiff is maybe even a better process as it brings many advantages in itself. In some days if the process is clear and all is running and tested, I know more ;) Gruß Matthias -- "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning." -- Rich Cook -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to update zone with dnssec-policy
Am 04.07.2023 um 10:16 schrieb Matthew Seaman: By default, the primary server will end up with a `fetchner.net` zone data file in text format which contains the pretty much the same RRs as your master copy in git, but reformatted into a standard style, sorted into order and with comments stripped[*]. Plus added DNSKEY, CDS, CDNSKEY, RRSIG records from dnssec signing. There will be a .jnl file for each zone with the latest updates to the zone -- in principle you can use rndc(8) to flush changes from the journal into the main zone file, but this isn't necessary if you're using nsupdate based methods exclusively to maintain the zone data. [*] Unless you have configured `masterfile-format raw` in which case your zone files will be in binary format. I started now to setup everything. To give it a try, I created a key and configured the zone to allow updates. I documented that already for myself, maybe that is also helpful for someone else: https://wiki.idefix.fechner.net/freebsd/bind/#manage-your-zones-with-git-and-nsdiff--nsupdate-wip as the link can maybe change, here a more generic one: https://wiki.idefix.fechner.net/freebsd/bind So far, nsdiff generates expected output, next step is now to apply the changes in an automated way. Gruß Matthias -- "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning." -- Rich Cook -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to update zone with dnssec-policy
On 03/07/2023 19:36, Matthias Fechner wrote: What I understood from the documentation: *-s* /server/[#/port/] I can maintain e.g. my zones from my local computer at home inside a git repository and use nsdiff and nspatch to push the changes to the server in the internet? Correct. Does the server then has the source file (fechner.net) or does the server only work with raw and the .jnl file? By default, the primary server will end up with a `fetchner.net` zone data file in text format which contains the pretty much the same RRs as your master copy in git, but reformatted into a standard style, sorted into order and with comments stripped[*]. Plus added DNSKEY, CDS, CDNSKEY, RRSIG records from dnssec signing. There will be a .jnl file for each zone with the latest updates to the zone -- in principle you can use rndc(8) to flush changes from the journal into the main zone file, but this isn't necessary if you're using nsupdate based methods exclusively to maintain the zone data. [*] Unless you have configured `masterfile-format raw` in which case your zone files will be in binary format. It I add a new zone, do I only need to configure it as master, define access to it and then upload the zone data via nspatch? That should work, I think. Can't say for sure as I don't tend to add new zones much. You might need to start with a minimal zone file containing just SOA and NS records. If that would all be possible, that technique can maybe also used to change letsencrypt verification to dns using the nsupdate command to get required information into the zone file. Yes, I can confirm this works brilliantly with the dns-rfc2136 plugin. That would definitely open a lot of new possibilities to put more automation the the full setup. ;) I've found it works very well to exempt TLSA and SSHFP records from nsdiff management (ie. nsdiff -i 'TLSA|SSHFP' ...) and then use Ansible to generate the appropriate resource records from corresponding keys on each host and add them into the zone data using the community.general.nsupdate module. Cheers, Matthew -- Dr Matthew J Seaman 1 Newland St, Eynsham, Witney, OXON, 0X29 4LB OpenPGP_signature Description: OpenPGP digital signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: How to update zone with dnssec-policy
Hi Matthias.It looks like nobody solved your /original/ problem? If you are still looking for an answer it might help if you posted some logs? The people on this list are good at interpreting any errors you're seeing. :-)Nick. Original message From: Matthias Fechner Date: 2/07/23 11:29 PM (GMT+12:00) To: bind-users@lists.isc.org Subject: How to update zone with dnssec-policy Dear all,I have the following problem that changes in a zone file do not get active, no matter if I reload the zone using rndc or restarting bind 9.16.42 on FreeBSD.If I update a zone I edit the zone file, adapt the serial in the SOA and normally do a rndc reload fechner.net.The nameserver is more or less setup like it is described here:https://wiki.idefix.fechner.net/freebsd/bind/The zonefile for domain fechner.net are in directory: /usr/local/etc/namedb/master/fechner.netIt is not a dynamic zone file or better I cannot freeze it: rndc freeze fechner.netrndc: 'freeze' failed: not dynamicBut if I delete the files:fechner.net.jbkfechner.net.signed.jnland restart bind, zone changes are correctly loaded and I can see an increased serial in:dig -t soa fechner.net.Would be nice if someone can explain me, how I need to edit a zone file, that has a dnssec-policy attached that modification get active, without the need to delete the `*.[jbk|jnl] files.Thanks a lot.GrußMatthias-- "Programming today is a race between software engineers striving tobuild bigger and better idiot-proof programs, and the universe trying toproduce bigger and better idiots. So far, the universe is winning." --Rich Cook-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this listISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.bind-users mailing listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to update zone with dnssec-policy
Am 02.07.2023 um 16:41 schrieb Matthew Seaman: Personally, I maintain zone files with DNSSEC signing on FreeBSD using the dns/p5-DNS-nsdiff port, which is a perl module written by Tony Finch -- someone well known on this list. You can keep your zone files in git or whatever code repository suits you. nsdiff will compare what's live in your DNS zone against whats in your updated zone file and generate a script for nsupdate(1) to make the former match the latter. You'll need to configure appropriate levels of access for nsupdate(1). That can be from pretty much any machine given you set up zone policies and distribute keys appropriately. Although if you run nsdiff directly on your primary DNS machine, you should be able to use the built-in /var/run/named/session.key with a per-zone policy like: ``` update-policy { grant local-ddns zonesub any; }; ``` See the '-l' flag to nsupdate(1) thanks, that is very interesting information. What I understood from the documentation: *-s* /server/[#/port/] I can maintain e.g. my zones from my local computer at home inside a git repository and use nsdiff and nspatch to push the changes to the server in the internet? Does the server then has the source file (fechner.net) or does the server only work with raw and the .jnl file? It I add a new zone, do I only need to configure it as master, define access to it and then upload the zone data via nspatch? If that would all be possible, that technique can maybe also used to change letsencrypt verification to dns using the nsupdate command to get required information into the zone file. That would definitely open a lot of new possibilities to put more automation the the full setup. ;) Gruß Matthias -- "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning." -- Rich Cook -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to update zone with dnssec-policy
On 02/07/2023 12:27, Matthias Fechner wrote: I have the following problem that changes in a zone file do not get active, no matter if I reload the zone using rndc or restarting bind 9.16.42 on FreeBSD. If I update a zone I edit the zone file, adapt the serial in the SOA and normally do a rndc reload fechner.net. The nameserver is more or less setup like it is described here: https://wiki.idefix.fechner.net/freebsd/bind/ The zonefile for domain fechner.net are in directory: /usr/local/etc/namedb/master/fechner.net It is not a dynamic zone file or better I cannot freeze it: rndc freeze fechner.net rndc: 'freeze' failed: not dynamic But if I delete the files: fechner.net.jbk fechner.net.signed.jnl and restart bind, zone changes are correctly loaded and I can see an increased serial in: dig -t soa fechner.net. Would be nice if someone can explain me, how I need to edit a zone file, that has a dnssec-policy attached that modification get active, without the need to delete the `*.[jbk|jnl] files. Personally, I maintain zone files with DNSSEC signing on FreeBSD using the dns/p5-DNS-nsdiff port, which is a perl module written by Tony Finch -- someone well known on this list. You can keep your zone files in git or whatever code repository suits you. nsdiff will compare what's live in your DNS zone against whats in your updated zone file and generate a script for nsupdate(1) to make the former match the latter. You'll need to configure appropriate levels of access for nsupdate(1). That can be from pretty much any machine given you set up zone policies and distribute keys appropriately. Although if you run nsdiff directly on your primary DNS machine, you should be able to use the built-in /var/run/named/session.key with a per-zone policy like: ``` update-policy { grant local-ddns zonesub any; }; ``` See the '-l' flag to nsupdate(1) Cheers, Matthew -- Dr Matthew J Seaman 1 Newland St, Eynsham, Witney, OXON, 0X29 4LB OpenPGP_signature Description: OpenPGP digital signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users