I'm trying to update a domain hosted with bind using terraform, and getting tsig verify failures in /var/log/named/security.log, but it works when I use nsupdate.
I'm generating a key using tsig-keygen -a HMAC-MD5 ns01.ops.example.com > /etc/bind/rndc.key, and my named.conf includes:
# Allow rndc management
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "ns01.ops.example.com"; };
};
I parse the key data out of rndc.key, and create a dnskey.tf file with
# Configure the DNS Provider
provider "dns" {
update {
server = "127.0.0.1"
key_algorithm = "hmac-md5"
key_name = "ns01.ops.clh-int.com."
key_secret = "bI40GY5fMZxvz7/NlGwA4w=="
}
}
resource "dns_a_record_set" "cthulhu" {
zone = "ops.example.com."
name = "cthulhu"
addresses = [ "192.168.1.1" ]
ttl = 180
}
Which matches the contents of /etc/bind/rndc.key
key "ns01.ops.example.com" {
algorithm hmac-sha256;
secret "bI40GY5fMZxvz7/NlGwA4w==";
};
When I run terraform apply, I get the following error message:
Error: Error applying plan:
1 error(s) occurred:
* dns_a_record_set.cthulhu: 1 error(s) occurred:
* dns_a_record_set.cthulhu: Error updating DNS record: dns: bad authentication
2019/04/25 23:59:29 [DEBUG] plugin: waiting for all plugin processes to complete...
2019-04-25T23:59:29.319Z [DEBUG] plugin.terraform-provider-dns_v2.1.0_x4: 2019/04/25 23:59:29 [ERR] plugin: plugin server: accept unix /tmp/plugin235354968: use of closed network connection
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
And the error seen in /var/log/named/security.log is 25-Apr-2019 23:59:29.308 security: error: client @0x55fa8d04d560 127.0.0.1#37299: request has invalid signature: TSIG ns01.ops.example.com: tsig verify failure (BADKEY)
Using nsupdate -k /etc/bind/rndc.key -v commandfile works, where commmandfile has contents like:
server $SERVER_ADDRESS
debug yes
zone ops.example.com
update delete blah.example.com
update add blah.example.com 300 A 10.9.8.7
send
For what it's worth, I'm running terraform inside the same docker container that bind is running in.
For completeness, here's a sanitized copy of /etc/bind/named.conf
include "/etc/bind/rndc.key";
# Allow rndc management
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "ns01.ops.clh-int.com"; };
};
acl "clients" {
127.0.0.0/8;
};
########################
## options
########################
options {
directory "/var/bind";
dump-file "/var/bind/cache_dump.db";
statistics-file "/var/bind/bind_statistics.txt";
memstatistics-file "/var/bind/bind_mem_statistics.txt";
version "private";
lame-ttl 180;
max-ncache-ttl 1800; # max time to cache negative NXDOMAIN answers
listen-on port 53 { any; };
listen-on-v6 { none; };
allow-transfer { none; };
pid-file "/var/run/named/named.pid";
recursion yes;
forwarders {
8.8.8.8;
8.8.4.4;
};
};
########################
## zones
########################
zone "ops.example.com" IN {
type master;
file "/etc/bind/ops.example.com.zone";
allow-transfer { 127.0.0.1; };
allow-update {
key "ns01.ops.clh-int.com";
127.0.0.0/8;
};
notify yes;
};
########################
## logging
########################
logging {
channel general {
file "/var/log/named/general.log" versions 5 size 25m;
print-time yes;
print-category yes;
print-severity yes;
};
channel queries {
file "/var/log/named/queries.log" versions 5 size 10m;
print-time yes;
print-category yes;
print-severity yes;
};
channel security {
file "/var/log/named/security.log" versions 5;
print-time yes;
print-category yes;
print-severity yes;
};
category default { general; };
category general { general; };
category config { general; };
category network { general; };
category queries { queries; };
category security { security; };
};
I'm clearly missing something simple here, but can't see what it is.
Answer
Looks at the first glance beeing different signature types. Bind key lists hmac-sha256, terraform lists hmac-md5. The error suites to that misconfiguration.
No comments:
Post a Comment