plugin dns/rfc2136 not working in 22.7.9_3

[tmueko]

The plugin is not working any more?!

when I try myself I get the following error:

/usr/local/bin/nsupdate -k /var/etc/K0lod-01.dyn-ip.info.+157+00000.key /var/etc/nsupdatecmds0

09-Dec-2022 12:03:31.836 /var/etc/K0<DOMAIN>.+157+00000.key:1: unknown option <DOMAIN>.'
09-Dec-2022 12:03:31.838 /var/etc/K0<DOMAIN>.+157+00000.key:2: unexpected token near end of file
could not read key from /var/etc/K0<DOMAIN>.+157+00000.{private,key}: unexpected token
update failed: REFUSED

when I manually create a keyfile like it is stored in bind it is working:

key "KEYNAME" {
        algorithm hmac-md5;
        secret "SECRET";
};

[tmueko]

maybe it helps: this one is working to:

/usr/local/bin/nsupdate -y hmac-md5:KEYNAME:SECRET /var/etc/nsupdatecmds0

[tmueko]

It is an Upstream-Bug from bind:

https://gitlab.isc.org/isc-projects/bind9/-/issues/3668

[franco]

Thanks for the report. I wanted to fix it but the flu season got in the way past couple of weeks.

Does this make sense? https://github.com/opnsense/plugins/commit/de660623ed

# opnsense-patch -c plugins de66062


Cheers,
Franco

[krei.se]

Hey Franco,

thanks for keeping at this.

I applied the patch and can manually invoke the update now. But in the patch there is still nsupdate command with .key file, not .private

Can you tell me what the etc nsupdatecmds do? I tried to delete them, but they don't seem to get created now

[franco]

I'm not sure how this is supposed to work to be honest. The original bug report says the private key file syntax was wrong so I just replaced that to minimise impact.

In bind we have a legacy format that looks weird, has a weirder forward-fallback and then also is ok to be broken instead of just removing it and it will be fixed later with low priority? Yeah, I don't know if that's the greatest situation to be in.

If someone let's me know what simpler version works (minus replacing 157 with 160 until it breaks again) I'm happy to change it but personally I don't have a setup to test.


Cheers,
Franco

[krei.se]

Hey Franco,

got around reinstalling the package and starting from scratch, apply your patch and fix it:

After the patch there is only this one change needed to have it working on BIND 9.11.5-P4-5.1+deb10u8-Debian (Extended Support Version):

Line 222:
$cmd = "/usr/local/bin/nsupdate -k /var/etc/K{$i}{$keyname}+157+00000.key";
change to
$cmd = "/usr/local/bin/nsupdate -k /var/etc/K{$i}{$keyname}+157+00000.private";

Which is kinda expected because you apply the needed key format change in the .private file, not the .key file

Thats it, i have successful changes now in server log:

18-Dec-2022 08:15:54.551 update: info: client @0x7fbd480c7230 80.123.34.454#58679/key ns-asdf-rndc-key: updating zone 'asdf.asdf/IN': deleting rrset at 'asdf.asdf.asdf' A
18-Dec-2022 08:15:54.551 update: info: client @0x7fbd480c7230 80.123.34.45#58679/key ns-asdf-rndc-key: updating zone 'asdf.asdf/IN': adding an RR at 'asdf.asdf.asdf' A 80.123.34.45

[tmueko]

I can confirm, that with 22.7.10_2 it ist working again.

I think, it would be better to switch to newer key format as suggestet here: https://github.com/opnsense/plugins/commit/de660623ed

then change md5 with sha in next step.

@franco: If you need tests-keys and setup I can help out.