BIND needs restart to make dynamic update work
-
- Posts: 22
- Joined: 2017/01/05 14:55:14
BIND needs restart to make dynamic update work
Current and stock Centos 7 system on 4 core OpenVZ platform
I run my own DNS and all is well according to https://tools.dnsstuff.com and there is no upstream DNS except googles root nameservers
Unless i restart BIND while a 60 sec propogation delay is occurring, the .jnl files which have the TXT lines needed to be verified as in the zone file just sit and certbot SSL renew fails
I am using the rfc 2136 authenticator - and if I restart while the 60 sec wait is occurring it flushes the .jnl file to the zone and the renew works
The zone file is in the var/named/dynamic directory and all the proper keys are in place obviously
It does leave the .jnl file even though certbot sends a cleanup and I have to issue a rndc sync -clean to flush the zone file of the TXT entries
The issue does not appear to with certbot or the rfc 2136 authenticator as it is BIND which not update the zone file after receiving the .jnl file
Does anyone know if there is something else needed in a setup or configuration of BIND to make the var/named/dynamic automatic updates to work automatically ??
I run my own DNS and all is well according to https://tools.dnsstuff.com and there is no upstream DNS except googles root nameservers
Unless i restart BIND while a 60 sec propogation delay is occurring, the .jnl files which have the TXT lines needed to be verified as in the zone file just sit and certbot SSL renew fails
I am using the rfc 2136 authenticator - and if I restart while the 60 sec wait is occurring it flushes the .jnl file to the zone and the renew works
The zone file is in the var/named/dynamic directory and all the proper keys are in place obviously
It does leave the .jnl file even though certbot sends a cleanup and I have to issue a rndc sync -clean to flush the zone file of the TXT entries
The issue does not appear to with certbot or the rfc 2136 authenticator as it is BIND which not update the zone file after receiving the .jnl file
Does anyone know if there is something else needed in a setup or configuration of BIND to make the var/named/dynamic automatic updates to work automatically ??
Re: BIND needs restart to make dynamic update work
We don't support openvz.
What's the output from getsebool named_write_master_zones
What's the output from getsebool named_write_master_zones
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 22
- Joined: 2017/01/05 14:55:14
Re: BIND needs restart to make dynamic update work
[root@main ~]# getsebool named_write_master_zones
getsebool: SELinux is disabled
I think I am seeing this now . . . it is an old kernel - I cannot change due to the hosting comapny platform which is Linux 2.6.32-042stab127.2 on x86_64
I am going to read over https://access.redhat.com/documentation ... uide/index to see if I want to take the SELinux plunge
getsebool: SELinux is disabled
I think I am seeing this now . . . it is an old kernel - I cannot change due to the hosting comapny platform which is Linux 2.6.32-042stab127.2 on x86_64
I am going to read over https://access.redhat.com/documentation ... uide/index to see if I want to take the SELinux plunge
Re: BIND needs restart to make dynamic update work
No, you're in a container so you can't enable selinux. It also means you need to ask the people that supply your host to find out why it's not working.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: BIND needs restart to make dynamic update work
wilburunion wrote: ↑2019/02/13 19:12:05Current and stock Centos 7 system on 4 core OpenVZ platform
I run my own DNS and all is well according to https://tools.dnsstuff.com and there is no upstream DNS except googles root nameservers
Unless i restart BIND while a 60 sec propogation delay is occurring, the .jnl files which have the TXT lines needed to be verified as in the zone file just sit and certbot SSL renew fails
I am using the rfc 2136 authenticator - and if I restart while the 60 sec wait is occurring it flushes the .jnl file to the zone and the renew works
The zone file is in the var/named/dynamic directory and all the proper keys are in place obviously
It does leave the .jnl file even though certbot sends a cleanup and I have to issue a rndc sync -clean to flush the zone file of the TXT entries
The issue does not appear to with certbot or the rfc 2136 authenticator as it is BIND which not update the zone file after receiving the .jnl file
Does anyone know if there is something else needed in a setup or configuration of BIND to make the var/named/dynamic automatic updates to work automatically ??
You should freeze zone before update: rndc freeze
Re: BIND needs restart to make dynamic update work
It's not necessary to freeze a zone if using nsupdate, that's sort of the whole point of nsupdate.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 22
- Joined: 2017/01/05 14:55:14
Re: BIND needs restart to make dynamic update work
The problem is - certbot and the rfc 2136 authenticator command line option does not properly use actually nsupdate. It uses API calls using dns-python
Also the freeze - thaw commands are obsoleted by sync in BIND 9.9. See ftp://ftp.isc.org/isc/bind9/9.9.0/RELEA ... -9.9.0.txt at NEW FEATURES
" "rndc sync" command dumps pending changes in a dynamic zone
to disk without a freeze/thaw cycle. "rndc sync -clean" removes
the journal file after syncing. "rndc freeze" no longer removes
journal files. [RT #22473]"
The other way to dump the changes is to restart BIND or stop it and start it.
The fastest way is to use Webmin and hit the recycle BIND icon.
It is possible the rfc 2136 authenticator needs to be re-written to issue a sync command before the propagation wait of 60 seconds
Yes selinux did not work but allegedly has been fixed by OpenVZ to now work -though I care not to try. sefacl and auditd also do not work
here is the previous reply from eff.org
"Just to be clear, Certbot's RFC2136 authenticator does not directly touch your zone files; it follows RFC2136's client API (just as nsupdate does) to tell a RFC2136-compatible DNS server to perform the proper updates. I also don't think information on how to properly set up Dynamic DNS for BIND for a particular operating system belongs in Certbot's documentation!"
See https://github.com/certbot/certbot/issues/6322
I disagreed because not all distros have BIND setup for dynamic updates out of the box like Centos does where there is the var/named/dynamic directory
I will pose the sync question in the python code to the rfc 2136 authenticator coders
Also the freeze - thaw commands are obsoleted by sync in BIND 9.9. See ftp://ftp.isc.org/isc/bind9/9.9.0/RELEA ... -9.9.0.txt at NEW FEATURES
" "rndc sync" command dumps pending changes in a dynamic zone
to disk without a freeze/thaw cycle. "rndc sync -clean" removes
the journal file after syncing. "rndc freeze" no longer removes
journal files. [RT #22473]"
The other way to dump the changes is to restart BIND or stop it and start it.
The fastest way is to use Webmin and hit the recycle BIND icon.
It is possible the rfc 2136 authenticator needs to be re-written to issue a sync command before the propagation wait of 60 seconds
Yes selinux did not work but allegedly has been fixed by OpenVZ to now work -though I care not to try. sefacl and auditd also do not work
here is the previous reply from eff.org
"Just to be clear, Certbot's RFC2136 authenticator does not directly touch your zone files; it follows RFC2136's client API (just as nsupdate does) to tell a RFC2136-compatible DNS server to perform the proper updates. I also don't think information on how to properly set up Dynamic DNS for BIND for a particular operating system belongs in Certbot's documentation!"
See https://github.com/certbot/certbot/issues/6322
I disagreed because not all distros have BIND setup for dynamic updates out of the box like Centos does where there is the var/named/dynamic directory
I will pose the sync question in the python code to the rfc 2136 authenticator coders
Re: BIND needs restart to make dynamic update work
My configuration with rndc freeze and rndc thaw works find. I didn't find other solution yet.
-
- Posts: 22
- Joined: 2017/01/05 14:55:14
Re: BIND needs restart to make dynamic update work
I do not know what BIND version you are running, but as of 9.9 it is no longer needed that way - and the sync command is used instead
It does not matter because I cannot control the rfc 2136 authenticator which is making API calls for the update . . . . that this is not an nsupdate programming issue anyway