Bind
使用 terraform 動態更新綁定時遇到問題 - 身份驗證失敗
我正在嘗試使用 terraform 更新通過綁定託管的域,並在 中獲取 tsig 驗證失敗
/var/log/named/security.log
,但是當我使用nsupdate
.我正在使用 生成一個密鑰
tsig-keygen -a HMAC-MD5 ns01.ops.example.com > /etc/bind/rndc.key
,我的named.conf
包括:# Allow rndc management controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "ns01.ops.example.com"; }; };
我解析出關鍵數據
rndc.key
,並創建一個dnskey.tf
文件# Configure the DNS Provider provider "dns" { update { server = "127.0.0.1" key_algorithm = "hmac-md5" key_name = "ns01.ops.clh-int.com." key_secret = "bI40GY5fMZxvz7/NlGwA4w==" } } resource "dns_a_record_set" "cthulhu" { zone = "ops.example.com." name = "cthulhu" addresses = [ "192.168.1.1" ] ttl = 180 }
與內容相匹配的
/etc/bind/rndc.key
key "ns01.ops.example.com" { algorithm hmac-sha256; secret "bI40GY5fMZxvz7/NlGwA4w=="; };
當我執行時
terraform apply
,我收到以下錯誤消息:Error: Error applying plan: 1 error(s) occurred: * dns_a_record_set.cthulhu: 1 error(s) occurred: * dns_a_record_set.cthulhu: Error updating DNS record: dns: bad authentication 2019/04/25 23:59:29 [DEBUG] plugin: waiting for all plugin processes to complete... 2019-04-25T23:59:29.319Z [DEBUG] plugin.terraform-provider-dns_v2.1.0_x4: 2019/04/25 23:59:29 [ERR] plugin: plugin server: accept unix /tmp/plugin235354968: use of closed network connection Terraform does not automatically rollback in the face of errors. Instead, your Terraform state file has been partially updated with any resources that successfully completed. Please address the error above and apply again to incrementally change your infrastructure.
中看到的錯誤
/var/log/named/security.log
是25-Apr-2019 23:59:29.308 security: error: client @0x55fa8d04d560 127.0.0.1#37299: request has invalid signature: TSIG ns01.ops.example.com: tsig verify failure (BADKEY)
使用
nsupdate -k /etc/bind/rndc.key -v commandfile
作品,其中commmandfile
的內容如下:server $SERVER_ADDRESS debug yes zone ops.example.com update delete blah.example.com update add blah.example.com 300 A 10.9.8.7 send
對於它的價值,我正在執行
terraform
的同一個 docker 容器中bind
執行。為了完整起見,這裡是經過消毒的副本
/etc/bind/named.conf
include "/etc/bind/rndc.key"; # Allow rndc management controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "ns01.ops.clh-int.com"; }; }; acl "clients" { 127.0.0.0/8; }; ######################## ## options ######################## options { directory "/var/bind"; dump-file "/var/bind/cache_dump.db"; statistics-file "/var/bind/bind_statistics.txt"; memstatistics-file "/var/bind/bind_mem_statistics.txt"; version "private"; lame-ttl 180; max-ncache-ttl 1800; # max time to cache negative NXDOMAIN answers listen-on port 53 { any; }; listen-on-v6 { none; }; allow-transfer { none; }; pid-file "/var/run/named/named.pid"; recursion yes; forwarders { 8.8.8.8; 8.8.4.4; }; }; ######################## ## zones ######################## zone "ops.example.com" IN { type master; file "/etc/bind/ops.example.com.zone"; allow-transfer { 127.0.0.1; }; allow-update { key "ns01.ops.clh-int.com"; 127.0.0.0/8; }; notify yes; }; ######################## ## logging ######################## logging { channel general { file "/var/log/named/general.log" versions 5 size 25m; print-time yes; print-category yes; print-severity yes; }; channel queries { file "/var/log/named/queries.log" versions 5 size 10m; print-time yes; print-category yes; print-severity yes; }; channel security { file "/var/log/named/security.log" versions 5; print-time yes; print-category yes; print-severity yes; }; category default { general; }; category general { general; }; category config { general; }; category network { general; }; category queries { queries; }; category security { security; }; };
我顯然在這裡遺漏了一些簡單的東西,但看不到它是什麼。
乍一看,有不同的簽名類型。綁定密鑰列表
hmac-sha256
、地形列表hmac-md5
。該錯誤套件適用於該錯誤配置。