I'm testing my ddns update config (for ISC DHCP hosted on same server) with nsupdate, and while the forward zone updates correctly:
# nsupdate
> server 127.0.0.1
> key dhcpupdate MYSECRETKEY
> update add test.example.com. 600 IN A 10.2.2.45
> send
# tail -n1 /var/log/named.conf
client 127.0.0.1#12584: view internal: updating zone 'example.com/IN': adding an RR at 'test.example.com' A
the reverse zone does not:
# nsupdate
> server 127.0.0.1
> key dhcpupdate MYSECRETKEY
> update add 45.2.2.10.in-addr.arpa. 600 IN PTR test.example.com.
> send
response to SOA query was unsuccessful
nsupdate then spits me back to the shell, and there are no errors (or messages of any kind) in the logs. I've tried the reverse zone update with and without trailing periods.
I have the feeling I'm missing something basic, but I can't figure out what it is.
Thanks for any pointers. Here are my config files, and other info:
# cat /etc/named.conf
acl internals {
127.0.0.0/8;
10.2.2.0/24;
};
logging {
channel named.log {
file "/var/log/named/named.log";
severity dynamic;
};
category default {
named.log;
};
};
options {
listen-on port 53 { any; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion no;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
key dhcpupdate {
algorithm hmac-md5;
secret "MYSECRETKEY";
};
include "/etc/named.root.key";
view "internal" {
match-clients { internals; };
recursion yes;
zone "localhost" IN {
type master;
file "/var/named/db.localhost";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "/var/named/db.0.0.127.in-addr.arpa";
allow-update { none; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "example.com" {
type master;
file "/var/named/db.example.com";
allow-update { key dhcpupdate; };
};
zone "2.2.10.in-addr.arpa" IN {
type master;
file "/var/named/db.2.2.10.in-addr.arpa";
allow-update { key dhcpupdate; };
};
};
view "external" {
match-clients { any; };
recursion no;
forwarders { 1.2.3.4; 1.2.3.5; }; // ISP DNS servers
forward first;
};
# cat /var/named/db.example.com
$ORIGIN .
$TTL 600 ; 10 minutes
example.com IN SOA ns1.example.com. root.example.com. (
5 ; serial
604800 ; refresh (1 week)
86400 ; retry (1 day)
2419200 ; expire (4 weeks)
604800 ; minimum (1 week)
)
NS ns1.example.com.
A 10.2.2.44
$TTL 3600 ; 1 hour
MX 1 ASPMX.L.GOOGLE.COM.
MX 5 ALT1.ASPMX.L.GOOGLE.COM.
MX 5 ALT2.ASPMX.L.GOOGLE.COM.
MX 10 ASPMX2.GOOGLEMAIL.COM.
MX 10 ASPMX3.GOOGLEMAIL.COM.
$ORIGIN example.com.
$TTL 600 ; 10 minutes
myserver A 10.2.2.5
ns1 A 10.2.2.5
test A 10.2.2.45
www A 123.12.34.32 // externally hosted www server
# cat /var/named/db.2.2.10.in-addr.arpa
;
; BIND data file for example.com
;
$TTL 10m
@ IN SOA ns1.example.com. root.example.com. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
2.2.10.in-addr.arpa. IN NS ns1.example.com.
5 IN PTR myserver.example.com.
EDIT:
Using debug command in nsupdate gives the following:
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 28411
;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;96.2.2.10.in-addr.arpa. IN SOA
;; TSIG PSEUDOSECTION:
dhcpupdate. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1367446210 300 16 XXXXXXXXX 28411 NOERROR 0
response to SOA query was unsuccessful
EDIT2:
When specifying zone, I get the following:
> debug
> server 127.0.0.1
> zone 2.2.10.in-addr.arpa
> key dhcpupdate XXXXXXXXXXX
> update add 96.2.2.10.in-addr.arpa. 600 IN PTR scott-lap.example.com.
> send
Sending update to 127.0.0.1#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 11170
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;2.2.10.in-addr.arpa. IN SOA
;; UPDATE SECTION:
96.2.2.10.in-addr.arpa. 600 IN PTR scott-lap.example.com.
;; TSIG PSEUDOSECTION:
dhcpupdate. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1367447008 300 16 XXXXXXXXXXXXXX 11170 NOERROR 0
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: SERVFAIL, id: 11170
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;2.2.10.in-addr.arpa. IN SOA
;; TSIG PSEUDOSECTION:
dhcpupdate. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1367447008 300 16 XXXXXXXXXXXXXXXXX 11170 NOERROR 0
EDIT3:
Huh. I'm trying to use host to see if it resolves my DNS server's ip address (which is listed in the reverse zone file above), and this is what I get. No log entries again.
# host -v 10.2.2.5
Trying "10.2.2.10.in-addr.arpa"
Host 10.2.2.10.in-addr.arpa not found: 2(SERVFAIL)
Received 40 bytes from 10.2.2.5#53 in 0 ms
Best Answer
I have a hunch that this might be the absence of an explicit
zonestatement in your update.nsupdatehas to guess what zone the update applies to when you omit that ("based on the rest of the input" according to the manpage), and I see lots of room for that assumption to be wrong given how many quads deep this zone is.Failing that, give
-va spin to see if you have better luck with TCP.