BIND needs restart to make dynamic update work

Issues related to applications and software problems
Post Reply
wilburunion
Posts: 22
Joined: 2017/01/05 14:55:14

BIND needs restart to make dynamic update work

Post by wilburunion » 2019/02/13 19:12:05

Current and stock Centos 7 system on 4 core OpenVZ platform

I run my own DNS and all is well according to https://tools.dnsstuff.com and there is no upstream DNS except googles root nameservers

Unless i restart BIND while a 60 sec propogation delay is occurring, the .jnl files which have the TXT lines needed to be verified as in the zone file just sit and certbot SSL renew fails

I am using the rfc 2136 authenticator - and if I restart while the 60 sec wait is occurring it flushes the .jnl file to the zone and the renew works

The zone file is in the var/named/dynamic directory and all the proper keys are in place obviously

It does leave the .jnl file even though certbot sends a cleanup and I have to issue a rndc sync -clean to flush the zone file of the TXT entries

The issue does not appear to with certbot or the rfc 2136 authenticator as it is BIND which not update the zone file after receiving the .jnl file

Does anyone know if there is something else needed in a setup or configuration of BIND to make the var/named/dynamic automatic updates to work automatically ??

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: BIND needs restart to make dynamic update work

Post by TrevorH » 2019/02/13 19:41:31

We don't support openvz.

What's the output from getsebool named_write_master_zones
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

wilburunion
Posts: 22
Joined: 2017/01/05 14:55:14

Re: BIND needs restart to make dynamic update work

Post by wilburunion » 2019/02/13 19:50:54

[root@main ~]# getsebool named_write_master_zones
getsebool: SELinux is disabled

I think I am seeing this now . . . it is an old kernel - I cannot change due to the hosting comapny platform which is Linux 2.6.32-042stab127.2 on x86_64

I am going to read over https://access.redhat.com/documentation ... uide/index to see if I want to take the SELinux plunge

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: BIND needs restart to make dynamic update work

Post by TrevorH » 2019/02/13 20:21:35

No, you're in a container so you can't enable selinux. It also means you need to ask the people that supply your host to find out why it's not working.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

mghe
Posts: 766
Joined: 2015/11/24 12:04:43
Location: Katowice, Poland

Re: BIND needs restart to make dynamic update work

Post by mghe » 2019/02/14 06:15:41

wilburunion wrote:
2019/02/13 19:12:05
Current and stock Centos 7 system on 4 core OpenVZ platform

I run my own DNS and all is well according to https://tools.dnsstuff.com and there is no upstream DNS except googles root nameservers

Unless i restart BIND while a 60 sec propogation delay is occurring, the .jnl files which have the TXT lines needed to be verified as in the zone file just sit and certbot SSL renew fails

I am using the rfc 2136 authenticator - and if I restart while the 60 sec wait is occurring it flushes the .jnl file to the zone and the renew works

The zone file is in the var/named/dynamic directory and all the proper keys are in place obviously

It does leave the .jnl file even though certbot sends a cleanup and I have to issue a rndc sync -clean to flush the zone file of the TXT entries

The issue does not appear to with certbot or the rfc 2136 authenticator as it is BIND which not update the zone file after receiving the .jnl file

Does anyone know if there is something else needed in a setup or configuration of BIND to make the var/named/dynamic automatic updates to work automatically ??

You should freeze zone before update: rndc freeze

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: BIND needs restart to make dynamic update work

Post by TrevorH » 2019/02/14 10:18:07

It's not necessary to freeze a zone if using nsupdate, that's sort of the whole point of nsupdate.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

wilburunion
Posts: 22
Joined: 2017/01/05 14:55:14

Re: BIND needs restart to make dynamic update work

Post by wilburunion » 2019/02/14 17:54:40

The problem is - certbot and the rfc 2136 authenticator command line option does not properly use actually nsupdate. It uses API calls using dns-python

Also the freeze - thaw commands are obsoleted by sync in BIND 9.9. See ftp://ftp.isc.org/isc/bind9/9.9.0/RELEA ... -9.9.0.txt at NEW FEATURES

" "rndc sync" command dumps pending changes in a dynamic zone
to disk without a freeze/thaw cycle. "rndc sync -clean" removes
the journal file after syncing. "rndc freeze" no longer removes
journal files. [RT #22473]"

The other way to dump the changes is to restart BIND or stop it and start it.

The fastest way is to use Webmin and hit the recycle BIND icon.

It is possible the rfc 2136 authenticator needs to be re-written to issue a sync command before the propagation wait of 60 seconds

Yes selinux did not work but allegedly has been fixed by OpenVZ to now work -though I care not to try. sefacl and auditd also do not work

here is the previous reply from eff.org

"Just to be clear, Certbot's RFC2136 authenticator does not directly touch your zone files; it follows RFC2136's client API (just as nsupdate does) to tell a RFC2136-compatible DNS server to perform the proper updates. I also don't think information on how to properly set up Dynamic DNS for BIND for a particular operating system belongs in Certbot's documentation!"

See https://github.com/certbot/certbot/issues/6322

I disagreed because not all distros have BIND setup for dynamic updates out of the box like Centos does where there is the var/named/dynamic directory

I will pose the sync question in the python code to the rfc 2136 authenticator coders

mghe
Posts: 766
Joined: 2015/11/24 12:04:43
Location: Katowice, Poland

Re: BIND needs restart to make dynamic update work

Post by mghe » 2019/02/15 15:55:15

My configuration with rndc freeze and rndc thaw works find. I didn't find other solution yet.

wilburunion
Posts: 22
Joined: 2017/01/05 14:55:14

Re: BIND needs restart to make dynamic update work

Post by wilburunion » 2019/02/16 14:43:13

mghe wrote:
2019/02/15 15:55:15
My configuration with rndc freeze and rndc thaw works find. I didn't find other solution yet.
I do not know what BIND version you are running, but as of 9.9 it is no longer needed that way - and the sync command is used instead

It does not matter because I cannot control the rfc 2136 authenticator which is making API calls for the update . . . . that this is not an nsupdate programming issue anyway

Post Reply