Bind

使用 terraform 動態更新綁定時遇到問題 - 身份驗證失敗

  • April 26, 2019

我正在嘗試使用 terraform 更新通過綁定託管的域,並在 中獲取 tsig 驗證失敗/var/log/named/security.log,但是當我使用nsupdate.

我正在使用 生成一個密鑰tsig-keygen -a HMAC-MD5 ns01.ops.example.com > /etc/bind/rndc.key,我的named.conf包括:

# Allow rndc management
controls {
 inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "ns01.ops.example.com"; };
};

我解析出關鍵數據rndc.key,並創建一個dnskey.tf文件

# Configure the DNS Provider
provider "dns" {
 update {
   server        = "127.0.0.1"
   key_algorithm = "hmac-md5"
   key_name      = "ns01.ops.clh-int.com."
   key_secret    = "bI40GY5fMZxvz7/NlGwA4w=="
 }
}

resource "dns_a_record_set" "cthulhu" {
 zone = "ops.example.com."
 name = "cthulhu"
 addresses = [ "192.168.1.1" ]
 ttl = 180
}

與內容相匹配的/etc/bind/rndc.key

key "ns01.ops.example.com" {
   algorithm hmac-sha256;
   secret "bI40GY5fMZxvz7/NlGwA4w==";
};

當我執行時terraform apply,我收到以下錯誤消息:

Error: Error applying plan:

1 error(s) occurred:

* dns_a_record_set.cthulhu: 1 error(s) occurred:

* dns_a_record_set.cthulhu: Error updating DNS record: dns: bad authentication

2019/04/25 23:59:29 [DEBUG] plugin: waiting for all plugin processes to complete...
2019-04-25T23:59:29.319Z [DEBUG] plugin.terraform-provider-dns_v2.1.0_x4: 2019/04/25 23:59:29 [ERR] plugin: plugin server: accept unix /tmp/plugin235354968: use of closed network connection
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

中看到的錯誤/var/log/named/security.log25-Apr-2019 23:59:29.308 security: error: client @0x55fa8d04d560 127.0.0.1#37299: request has invalid signature: TSIG ns01.ops.example.com: tsig verify failure (BADKEY)

使用nsupdate -k /etc/bind/rndc.key -v commandfile作品,其中commmandfile的內容如下:

server $SERVER_ADDRESS
debug yes
zone ops.example.com
update delete blah.example.com
update add blah.example.com 300 A 10.9.8.7
send

對於它的價值,我正在執行terraform的同一個 docker 容器中bind執行。

為了完整起見,這裡是經過消毒的副本/etc/bind/named.conf

include "/etc/bind/rndc.key";

# Allow rndc management
controls {
 inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "ns01.ops.clh-int.com"; };
};

acl "clients" {
 127.0.0.0/8;
};

########################
## options
########################

options {

   directory "/var/bind";

   dump-file "/var/bind/cache_dump.db";
   statistics-file "/var/bind/bind_statistics.txt";
   memstatistics-file "/var/bind/bind_mem_statistics.txt";

   version "private";

   lame-ttl 180;
   max-ncache-ttl 1800; # max time to cache negative NXDOMAIN answers

   listen-on port 53 { any; };
   listen-on-v6 { none; };

   allow-transfer { none; };

   pid-file "/var/run/named/named.pid";

   recursion yes;

   forwarders {
     8.8.8.8;
     8.8.4.4;
   };

};

########################
## zones
########################

zone "ops.example.com" IN {
   type master;
   file "/etc/bind/ops.example.com.zone";
   allow-transfer { 127.0.0.1; };

   allow-update {
     key "ns01.ops.clh-int.com";
     127.0.0.0/8;
   };

   notify yes;
};


########################
## logging
########################

logging {
   channel general {
       file "/var/log/named/general.log" versions 5 size 25m;
       print-time yes;
       print-category yes;
       print-severity yes;
   };

   channel queries {
       file "/var/log/named/queries.log" versions 5 size 10m;
       print-time yes;
       print-category yes;
       print-severity yes;
   };

   channel security {
       file "/var/log/named/security.log" versions 5;
       print-time yes;
       print-category yes;
       print-severity yes;
   };

   category default { general; };
   category general { general; };
   category config { general; };
   category network { general; };
   category queries { queries; };
   category security { security; };
};

我顯然在這裡遺漏了一些簡單的東西,但看不到它是什麼。

乍一看,有不同的簽名類型。綁定密鑰列表hmac-sha256、地形列表hmac-md5。該錯誤套件適用於該錯誤配置。

引用自:https://serverfault.com/questions/964661