Domain-Name-System

綁定:“nsupdate -l”失敗,狀態為“更新失敗:已拒絕”

  • April 26, 2021

我剛剛切換到具有 DNSSEC 條目的半自動管理的bind9.9.5動態 DNSnsupdate功能,整個過程很順利,我的區域文件也更新得很好,但現在我無法通過工具更新或添加條目。

/etc/bind/named.conf.local: _

// 1
view "localhost_view" {
   
   allow-query-on { 127.0.0.1; };
   allow-query { localhost_acl; };
   match-clients { localhost_acl; };

   zone "somehost.tld" {
           type master;
           file "/etc/bind/db.somehost.tld_10";
   };

   zone "168.192.in-addr.arpa" {
           type master;
           notify no;
           file "/etc/bind/db.192.168.10";
   };

   // formerly named.conf.default-zones

       zone "." {
               type hint;
               file "/etc/bind/db.root";
       };

       zone "localhost" {
               type master;
               file "/etc/bind/db.local";
       };

       zone "127.in-addr.arpa" {
               type master;
               file "/etc/bind/db.127";
       };

       zone "0.in-addr.arpa" {
               type master;
               file "/etc/bind/db.0";
       };

       zone "255.in-addr.arpa" {
               type master;
               file "/etc/bind/db.255";
       };

   // formerly zones.rfc1918

       zone "10.in-addr.arpa"      { type master; file "/etc/bind/db.empty"; };
       zone "16.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "17.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "18.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "19.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "20.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "21.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "22.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "23.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "24.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "25.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "26.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "27.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "28.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "29.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "30.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "31.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };

};

// 2
view "internal_10_view" {
   
   allow-query-on { 192.168.10.1; };
   allow-query { internal_10_acl; };
   match-clients { internal_10_acl; };

   zone "somehost.tld" {
           type master;
           file "/etc/bind/db.somehost.tld_10";
   };

   zone "168.192.in-addr.arpa" {
           type master;
           notify no;
           file "/etc/bind/db.192.168.10";
   };

   // formerly named.conf.default-zones

       zone "." {
               type hint;
               file "/etc/bind/db.root";
       };

       zone "localhost" {
               type master;
               file "/etc/bind/db.local";
       };

       zone "127.in-addr.arpa" {
               type master;
               file "/etc/bind/db.127";
       };

       zone "0.in-addr.arpa" {
               type master;
               file "/etc/bind/db.0";
       };

       zone "255.in-addr.arpa" {
               type master;
               file "/etc/bind/db.255";
       };

   // formerly zones.rfc1918

       zone "10.in-addr.arpa"      { type master; file "/etc/bind/db.empty"; };
       zone "16.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "17.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "18.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "19.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "20.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "21.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "22.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "23.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "24.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "25.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "26.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "27.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "28.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "29.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "30.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "31.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };

};

// 3
view "internal_150_view" {

       allow-query-on { 192.168.150.1; };
       allow-query { internal_150_acl; };
   match-clients { internal_150_acl; };

   zone "somehost.tld" {
           type master;
           file "/etc/bind/db.somehost.tld_150";
   };

   zone "168.192.in-addr.arpa" {
           type master;
           notify no;
           file "/etc/bind/db.192.168.150";
   };

   // formerly named.conf.default-zones

       zone "." {
               type hint;
               file "/etc/bind/db.root";
       };

       zone "localhost" {
               type master;
               file "/etc/bind/db.local";
       };

       zone "127.in-addr.arpa" {
               type master;
               file "/etc/bind/db.127";
       };

       zone "0.in-addr.arpa" {
               type master;
               file "/etc/bind/db.0";
       };

       zone "255.in-addr.arpa" {
               type master;
               file "/etc/bind/db.255";
       };

   // formerly zones.rfc1918

       zone "10.in-addr.arpa"      { type master; file "/etc/bind/db.empty"; };
       zone "16.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "17.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "18.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "19.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "20.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "21.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "22.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "23.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "24.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "25.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "26.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "27.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "28.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "29.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "30.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "31.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };

};

// 4
view "vpn_view" {
   
   allow-query-on { 192.168.200.1; };
   allow-query { vpn_acl; };
   match-clients { vpn_acl; };
       
   zone "somehost.tld" {
       type master;
       file "/etc/bind/db.somehost.tld_vpn";
   };

   // formerly named.conf.default-zones

       zone "." {
               type hint;
               file "/etc/bind/db.root";
       };

       zone "localhost" {
               type master;
               file "/etc/bind/db.local";
       };

       zone "127.in-addr.arpa" {
               type master;
               file "/etc/bind/db.127";
       };

       zone "0.in-addr.arpa" {
               type master;
               file "/etc/bind/db.0";
       };

       zone "255.in-addr.arpa" {
               type master;
               file "/etc/bind/db.255";
       };

   // formerly zones.rfc1918

       zone "10.in-addr.arpa"      { type master; file "/etc/bind/db.empty"; };
       zone "16.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "17.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "18.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "19.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "20.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "21.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "22.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "23.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "24.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "25.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "26.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "27.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "28.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "29.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "30.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "32.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };

};

// 5
view "global_view" {
   
   allow-query-on { 1.2.3.4; };
//  match-clients { any; !localhost_acl; !internal_10_acl; !internal_150_acl; !vpn_acl; };
   recursion no;
       
   zone "somehost.tld" {

       type master;

       update-policy local;
       auto-dnssec maintain;

       file "/etc/bind/db.somehost.tld_global";

       key-directory "/etc/bind/keys";

   };

   zone "26/4.3.2.1.in-addr.arpa" IN {
       type master;
       file "/etc/bind/db.rev";
   };

   // formerly named.conf.default-zones

       zone "." {
               type hint;
               file "/etc/bind/db.root";
       };

       zone "localhost" {
               type master;
               file "/etc/bind/db.local";
       };

       zone "127.in-addr.arpa" {
               type master;
               file "/etc/bind/db.127";
       };

       zone "0.in-addr.arpa" {
               type master;
               file "/etc/bind/db.0";
       };

       zone "255.in-addr.arpa" {
               type master;
               file "/etc/bind/db.255";
       };

   // formerly zones.rfc1918

       zone "10.in-addr.arpa"      { type master; file "/etc/bind/db.empty"; };
       zone "16.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "17.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "18.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "19.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "20.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "21.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "22.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "23.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "24.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "25.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "26.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "27.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "28.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "29.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "30.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "32.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };

};

ACL:

acl localhost_acl {
       127.0.0.0/8;
};

acl internal_10_acl {
       192.168.10.0/24;
};

acl internal_150_acl {
       192.168.150.0/24;
};

acl vpn_acl {
       192.168.200.2;
       192.168.200.5;
};

所以在update-policy local;這裡,/var/run/named/session.key已成功生成並且使用者bind可讀,但是當我通過nsupdate -l(以root身份)執行添加命令時,我總是得到update failed: REFUSED錯誤(這裡帶有調試消息):

root@somehost:/etc/bind# nsupdate -l -v -D
setup_system()
Creating key...
namefromtext
keycreate
reset_system()
user_interaction()
> ttl 46000
do_next_command()
> zone somehost.tld.
do_next_command()
> update add whatever.somehost.tld. A 1.1.1.1
do_next_command()
evaluate_update()
update_addordelete()
> send
do_next_command()
start_update()
send_update()
Sending update to 127.0.0.1#53
show_message()
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  15363
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;somehost.tld.                      IN      SOA

;; UPDATE SECTION:
whatever.somehost.tld.  46000   IN      A       1.1.1.1

;; TSIG PSEUDOSECTION:
local-ddns.             0       ANY     TSIG    hmac-sha256. 1446539060 300 32 r2lt18dGihGnJepoUjvIKx8l5BPMohNJvsLoO+WQiBE                                                                         = 15363 NOERROR 0

update_completed()
tsig verification successful
show_message()

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:  15363
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;somehost.tld.                      IN      SOA

;; TSIG PSEUDOSECTION:
local-ddns.             0       ANY     TSIG    hmac-sha256. 1446539060 300 32 Cnh9Tgg5vhKngPRk2J8n0wiRzdBLlQrp0F0qmfUotN8                                                                         = 15363 NOERROR 0

done_update()
reset_system()
user_interaction()
> quit

這是某種許可問題?怎麼了?

終於想通了。感謝@Håkan Lindqvist的啟發。

這些解決方案可能是特定於 Debian/Ubuntu 的,並且沒有在其他發行版中進行測試。

  1. 第一個解決方案 ==========

(使用update-policy local;)。

您實際上可以update-policy local;在所需的每個區域聲明中使用指令/etc/bind/named.conf.local,它限制來自 Internet 或 LAN 的更新請求以提高安全性。在這種情況下,密鑰是自動生成的,如果使用選項nsupdate執行,將使用它。-l

而不是server X.X.X.X命令一個應該使用local X.X.X.X. 如果它是系統本地的,它甚至接受公共 IP 作為參數

注意:密鑰不是世界可讀的,所以使用sudo.

例子:

me@somehost:~$ sudo nsupdate -l
> local 1.2.3.4
> zone somehost.tld
> update add something.somehost.tld. 86400 A 1.1.1.1
> send
> quit
  1. 第二個解決方案 ==========

(使用ddns-confgen)。

我有很多視圖localhost_viewglobal_view),其中一些具有公共區域somehost.tld在我的範例中)。如果我想動態更新它們,我應該server X.X.X.X在 do 時使用命令nsupdate。因此nsupdate將向適當的介面發送更新請求,並由適當的視圖處理它。

update-policy local;不適合這種配置,因為它禁止server使用nsupdate. 因此需要生成一個 DDNS 密鑰並在所有區域聲明中指定它,該聲明應由nsupdate. 在 Debian 世界中,有一個ddns-confgen命令可以大大簡化此任務:

me@somehost:~$ ddns-confgen
# To activate this key, place the following in named.conf, and
# in a separate keyfile on the system or systems from which nsupdate
# will be run:
key "ddns-key" {
       algorithm hmac-sha256;
       secret "pXohPnPR7dyri9ADfDLtSz+lHw/QliISyiEe0wg0a14=";
};

# Then, in the "zone" statement for each zone you wish to dynamically
# update, place an "update-policy" statement granting update permission
# to this key.  For example, the following statement grants this key
# permission to update any name within the zone:
update-policy {
       grant ddns-key zonesub ANY;
};

# After the keyfile has been placed, the following command will
# execute nsupdate using this key:
nsupdate -k <keyfile>

這個命令的輸出是非常自我描述的。需要將key...片段添加到具有任何名稱的/etc/bind/named.conf 單獨文件中,並將update-policy...片段添加到每個zone聲明中,這將由nsupdate.

nsupdate要在多視圖 BIND 環境中正確使用工具,需要server在執行任何其他命令之前顯式指定指令。因此,為了更新localhost_viewsomehost.tld區域(考慮到key...程式碼段已保存到/etc/bind/ddns-key.key),命令如下(注意server 127.0.0.1):

me@somehost:~$ nsupdate -k /etc/bind/ddns-key.key
> server 127.0.0.1
> zone somehost.tld
> update add something.somehost.tld. 86400 A 1.1.1.1
> send
> quit

而要操作global_view’s somehost.tldzone 的命令本質上是相同的,但具有不同的server. 在這種情況下,需要使用公共 IP(1.2.3.4在我的範例中):

me@somehost:~$ nsupdate -k /etc/bind/ddns-key.key
> server 1.2.3.4
> zone somehost.tld
> update add something.somehost.tld. 86400 A 1.1.1.1
> send
> quit

因此nsupdate,將請求發送到適當的介面(可能是本地介面,也可能不是本地介面)並且特定視圖有效。

引用自:https://serverfault.com/questions/733490