Having issues dynamically updating bind with terraform - authentication failuresDNS zones and named filesBind9 zone filesConfigure BIND with database backend and DLZ supportsetting up bind to work with nsupdate (SERVFAIL)RHEL BIND Server Intermittent errorBIND permission errorsDNS BIND on CENTOS 6.3 and domain nameserversubuntu 14.04 Bind DNS does not work from outside for some of my domainsnsupdate communicate with server failedBind, force zone update on slave
Notation: What does the tilde bellow of the Expectation mean?
Prove that a definite integral is an infinite sum
Is 'contemporary' ambiguous and if so is there a better word?
How does summation index shifting work?
Any examples of liquids volatile at room temp but non-flammable?
What do I do if my advisor made a mistake?
Why would a military not separate its forces into different branches?
How can I get people to remember my character's gender?
How to pass hash as password to ssh server
Should I mention being denied entry to UK due to a confusion in my Visa and Ticket bookings?
How do I calculate how many of an item I'll have in this inventory system?
Find magical solution to magical equation
Should homeowners insurance cover the cost of the home?
Handling Null values (and equivalents) routinely in Python
Install LibreOffice-Writer Only not LibreOffice whole package
Is Soreness in Middle Knuckle of Fretting Hand Index Finger Normal for Beginners?
Why do these characters still seem to be the same age after the events of Endgame?
Would a small hole in a Faraday cage drastically reduce its effectiveness at blocking interference?
Does "Captain Marvel" contain spoilers for "Avengers: Infinity War"?
Agena docking and RCS Brakes in First Man
What was the first story to feature the plot "the monsters were human all along"?
Why aren't nationalizations in Russia described as socialist?
Why did the Apollo 13 crew extend the LM landing gear?
What are the advantages of luxury car brands like Acura/Lexus over their sibling non-luxury brands Honda/Toyota?
Having issues dynamically updating bind with terraform - authentication failures
DNS zones and named filesBind9 zone filesConfigure BIND with database backend and DLZ supportsetting up bind to work with nsupdate (SERVFAIL)RHEL BIND Server Intermittent errorBIND permission errorsDNS BIND on CENTOS 6.3 and domain nameserversubuntu 14.04 Bind DNS does not work from outside for some of my domainsnsupdate communicate with server failedBind, force zone update on slave
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I'm trying to update a domain hosted with bind using terraform, and getting tsig verify failures in /var/log/named/security.log, but it works when I use nsupdate.
I'm generating a key using tsig-keygen -a HMAC-MD5 ns01.ops.example.com > /etc/bind/rndc.key, and my named.conf includes:
# Allow rndc management
controls
inet 127.0.0.1 port 953 allow 127.0.0.1; keys "ns01.ops.example.com"; ;
;
I parse the key data out of rndc.key, and create a dnskey.tf file with
# Configure the DNS Provider
provider "dns"
update
server = "127.0.0.1"
key_algorithm = "hmac-md5"
key_name = "ns01.ops.clh-int.com."
key_secret = "bI40GY5fMZxvz7/NlGwA4w=="
resource "dns_a_record_set" "cthulhu"
zone = "ops.example.com."
name = "cthulhu"
addresses = [ "192.168.1.1" ]
ttl = 180
Which matches the contents of /etc/bind/rndc.key
key "ns01.ops.example.com"
algorithm hmac-sha256;
secret "bI40GY5fMZxvz7/NlGwA4w==";
;
When I run terraform apply, I get the following error message:
Error: Error applying plan:
1 error(s) occurred:
* dns_a_record_set.cthulhu: 1 error(s) occurred:
* dns_a_record_set.cthulhu: Error updating DNS record: dns: bad authentication
2019/04/25 23:59:29 [DEBUG] plugin: waiting for all plugin processes to complete...
2019-04-25T23:59:29.319Z [DEBUG] plugin.terraform-provider-dns_v2.1.0_x4: 2019/04/25 23:59:29 [ERR] plugin: plugin server: accept unix /tmp/plugin235354968: use of closed network connection
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
And the error seen in /var/log/named/security.log is 25-Apr-2019 23:59:29.308 security: error: client @0x55fa8d04d560 127.0.0.1#37299: request has invalid signature: TSIG ns01.ops.example.com: tsig verify failure (BADKEY)
Using nsupdate -k /etc/bind/rndc.key -v commandfile works, where commmandfile has contents like:
server $SERVER_ADDRESS
debug yes
zone ops.example.com
update delete blah.example.com
update add blah.example.com 300 A 10.9.8.7
send
For what it's worth, I'm running terraform inside the same docker container that bind is running in.
For completeness, here's a sanitized copy of /etc/bind/named.conf
include "/etc/bind/rndc.key";
# Allow rndc management
controls
inet 127.0.0.1 port 953 allow 127.0.0.1; keys "ns01.ops.clh-int.com"; ;
;
acl "clients"
127.0.0.0/8;
;
########################
## options
########################
options
directory "/var/bind";
dump-file "/var/bind/cache_dump.db";
statistics-file "/var/bind/bind_statistics.txt";
memstatistics-file "/var/bind/bind_mem_statistics.txt";
version "private";
lame-ttl 180;
max-ncache-ttl 1800; # max time to cache negative NXDOMAIN answers
listen-on port 53 any; ;
listen-on-v6 none; ;
allow-transfer none; ;
pid-file "/var/run/named/named.pid";
recursion yes;
forwarders
8.8.8.8;
8.8.4.4;
;
;
########################
## zones
########################
zone "ops.example.com" IN
type master;
file "/etc/bind/ops.example.com.zone";
allow-transfer 127.0.0.1; ;
allow-update
key "ns01.ops.clh-int.com";
127.0.0.0/8;
;
notify yes;
;
########################
## logging
########################
logging
channel general
file "/var/log/named/general.log" versions 5 size 25m;
print-time yes;
print-category yes;
print-severity yes;
;
channel queries
file "/var/log/named/queries.log" versions 5 size 10m;
print-time yes;
print-category yes;
print-severity yes;
;
channel security
file "/var/log/named/security.log" versions 5;
print-time yes;
print-category yes;
print-severity yes;
;
category default general; ;
category general general; ;
category config general; ;
category network general; ;
category queries queries; ;
category security security; ;
;
I'm clearly missing something simple here, but can't see what it is.
bind terraform
asked Apr 26 at 0:18
Joe BlockJoe Block
54928
add a comment |
I'm trying to update a domain hosted with bind using terraform, and getting tsig verify failures in /var/log/named/security.log, but it works when I use nsupdate.
I'm generating a key using tsig-keygen -a HMAC-MD5 ns01.ops.example.com > /etc/bind/rndc.key, and my named.conf includes:
# Allow rndc management
controls
inet 127.0.0.1 port 953 allow 127.0.0.1; keys "ns01.ops.example.com"; ;
;
I parse the key data out of rndc.key, and create a dnskey.tf file with
# Configure the DNS Provider
provider "dns"
update
server = "127.0.0.1"
key_algorithm = "hmac-md5"
key_name = "ns01.ops.clh-int.com."
key_secret = "bI40GY5fMZxvz7/NlGwA4w=="
resource "dns_a_record_set" "cthulhu"
zone = "ops.example.com."
name = "cthulhu"
addresses = [ "192.168.1.1" ]
ttl = 180
Which matches the contents of /etc/bind/rndc.key
key "ns01.ops.example.com"
algorithm hmac-sha256;
secret "bI40GY5fMZxvz7/NlGwA4w==";
;
When I run terraform apply, I get the following error message:
Error: Error applying plan:
1 error(s) occurred:
* dns_a_record_set.cthulhu: 1 error(s) occurred:
* dns_a_record_set.cthulhu: Error updating DNS record: dns: bad authentication
2019/04/25 23:59:29 [DEBUG] plugin: waiting for all plugin processes to complete...
2019-04-25T23:59:29.319Z [DEBUG] plugin.terraform-provider-dns_v2.1.0_x4: 2019/04/25 23:59:29 [ERR] plugin: plugin server: accept unix /tmp/plugin235354968: use of closed network connection
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
And the error seen in /var/log/named/security.log is 25-Apr-2019 23:59:29.308 security: error: client @0x55fa8d04d560 127.0.0.1#37299: request has invalid signature: TSIG ns01.ops.example.com: tsig verify failure (BADKEY)
Using nsupdate -k /etc/bind/rndc.key -v commandfile works, where commmandfile has contents like:
server $SERVER_ADDRESS
debug yes
zone ops.example.com
update delete blah.example.com
update add blah.example.com 300 A 10.9.8.7
send
For what it's worth, I'm running terraform inside the same docker container that bind is running in.
For completeness, here's a sanitized copy of /etc/bind/named.conf
include "/etc/bind/rndc.key";
# Allow rndc management
controls
inet 127.0.0.1 port 953 allow 127.0.0.1; keys "ns01.ops.clh-int.com"; ;
;
acl "clients"
127.0.0.0/8;
;
########################
## options
########################
options
directory "/var/bind";
dump-file "/var/bind/cache_dump.db";
statistics-file "/var/bind/bind_statistics.txt";
memstatistics-file "/var/bind/bind_mem_statistics.txt";
version "private";
lame-ttl 180;
max-ncache-ttl 1800; # max time to cache negative NXDOMAIN answers
listen-on port 53 any; ;
listen-on-v6 none; ;
allow-transfer none; ;
pid-file "/var/run/named/named.pid";
recursion yes;
forwarders
8.8.8.8;
8.8.4.4;
;
;
########################
## zones
########################
zone "ops.example.com" IN
type master;
file "/etc/bind/ops.example.com.zone";
allow-transfer 127.0.0.1; ;
allow-update
key "ns01.ops.clh-int.com";
127.0.0.0/8;
;
notify yes;
;
########################
## logging
########################
logging
channel general
file "/var/log/named/general.log" versions 5 size 25m;
print-time yes;
print-category yes;
print-severity yes;
;
channel queries
file "/var/log/named/queries.log" versions 5 size 10m;
print-time yes;
print-category yes;
print-severity yes;
;
channel security
file "/var/log/named/security.log" versions 5;
print-time yes;
print-category yes;
print-severity yes;
;
category default general; ;
category general general; ;
category config general; ;
category network general; ;
category queries queries; ;
category security security; ;
;
I'm clearly missing something simple here, but can't see what it is.
bind terraform
asked Apr 26 at 0:18
Joe BlockJoe Block
54928
add a comment |
I'm trying to update a domain hosted with bind using terraform, and getting tsig verify failures in /var/log/named/security.log, but it works when I use nsupdate.
I'm generating a key using tsig-keygen -a HMAC-MD5 ns01.ops.example.com > /etc/bind/rndc.key, and my named.conf includes:
# Allow rndc management
controls
inet 127.0.0.1 port 953 allow 127.0.0.1; keys "ns01.ops.example.com"; ;
;
I parse the key data out of rndc.key, and create a dnskey.tf file with
# Configure the DNS Provider
provider "dns"
update
server = "127.0.0.1"
key_algorithm = "hmac-md5"
key_name = "ns01.ops.clh-int.com."
key_secret = "bI40GY5fMZxvz7/NlGwA4w=="
resource "dns_a_record_set" "cthulhu"
zone = "ops.example.com."
name = "cthulhu"
addresses = [ "192.168.1.1" ]
ttl = 180
Which matches the contents of /etc/bind/rndc.key
key "ns01.ops.example.com"
algorithm hmac-sha256;
secret "bI40GY5fMZxvz7/NlGwA4w==";
;
When I run terraform apply, I get the following error message:
Error: Error applying plan:
1 error(s) occurred:
* dns_a_record_set.cthulhu: 1 error(s) occurred:
* dns_a_record_set.cthulhu: Error updating DNS record: dns: bad authentication
2019/04/25 23:59:29 [DEBUG] plugin: waiting for all plugin processes to complete...
2019-04-25T23:59:29.319Z [DEBUG] plugin.terraform-provider-dns_v2.1.0_x4: 2019/04/25 23:59:29 [ERR] plugin: plugin server: accept unix /tmp/plugin235354968: use of closed network connection
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
And the error seen in /var/log/named/security.log is 25-Apr-2019 23:59:29.308 security: error: client @0x55fa8d04d560 127.0.0.1#37299: request has invalid signature: TSIG ns01.ops.example.com: tsig verify failure (BADKEY)
Using nsupdate -k /etc/bind/rndc.key -v commandfile works, where commmandfile has contents like:
server $SERVER_ADDRESS
debug yes
zone ops.example.com
update delete blah.example.com
update add blah.example.com 300 A 10.9.8.7
send
For what it's worth, I'm running terraform inside the same docker container that bind is running in.
For completeness, here's a sanitized copy of /etc/bind/named.conf
include "/etc/bind/rndc.key";
# Allow rndc management
controls
inet 127.0.0.1 port 953 allow 127.0.0.1; keys "ns01.ops.clh-int.com"; ;
;
acl "clients"
127.0.0.0/8;
;
########################
## options
########################
options
directory "/var/bind";
dump-file "/var/bind/cache_dump.db";
statistics-file "/var/bind/bind_statistics.txt";
memstatistics-file "/var/bind/bind_mem_statistics.txt";
version "private";
lame-ttl 180;
max-ncache-ttl 1800; # max time to cache negative NXDOMAIN answers
listen-on port 53 any; ;
listen-on-v6 none; ;
allow-transfer none; ;
pid-file "/var/run/named/named.pid";
recursion yes;
forwarders
8.8.8.8;
8.8.4.4;
;
;
########################
## zones
########################
zone "ops.example.com" IN
type master;
file "/etc/bind/ops.example.com.zone";
allow-transfer 127.0.0.1; ;
allow-update
key "ns01.ops.clh-int.com";
127.0.0.0/8;
;
notify yes;
;
########################
## logging
########################
logging
channel general
file "/var/log/named/general.log" versions 5 size 25m;
print-time yes;
print-category yes;
print-severity yes;
;
channel queries
file "/var/log/named/queries.log" versions 5 size 10m;
print-time yes;
print-category yes;
print-severity yes;
;
channel security
file "/var/log/named/security.log" versions 5;
print-time yes;
print-category yes;
print-severity yes;
;
category default general; ;
category general general; ;
category config general; ;
category network general; ;
category queries queries; ;
category security security; ;
;
I'm clearly missing something simple here, but can't see what it is.
bind terraform
asked Apr 26 at 0:18
Joe BlockJoe Block
54928
I'm trying to update a domain hosted with bind using terraform, and getting tsig verify failures in /var/log/named/security.log, but it works when I use nsupdate.
I'm generating a key using tsig-keygen -a HMAC-MD5 ns01.ops.example.com > /etc/bind/rndc.key, and my named.conf includes:
# Allow rndc management
controls
inet 127.0.0.1 port 953 allow 127.0.0.1; keys "ns01.ops.example.com"; ;
;
I parse the key data out of rndc.key, and create a dnskey.tf file with
# Configure the DNS Provider
provider "dns"
update
server = "127.0.0.1"
key_algorithm = "hmac-md5"
key_name = "ns01.ops.clh-int.com."
key_secret = "bI40GY5fMZxvz7/NlGwA4w=="
resource "dns_a_record_set" "cthulhu"
zone = "ops.example.com."
name = "cthulhu"
addresses = [ "192.168.1.1" ]
ttl = 180
Which matches the contents of /etc/bind/rndc.key
key "ns01.ops.example.com"
algorithm hmac-sha256;
secret "bI40GY5fMZxvz7/NlGwA4w==";
;
When I run terraform apply, I get the following error message:
Error: Error applying plan:
1 error(s) occurred:
* dns_a_record_set.cthulhu: 1 error(s) occurred:
* dns_a_record_set.cthulhu: Error updating DNS record: dns: bad authentication
2019/04/25 23:59:29 [DEBUG] plugin: waiting for all plugin processes to complete...
2019-04-25T23:59:29.319Z [DEBUG] plugin.terraform-provider-dns_v2.1.0_x4: 2019/04/25 23:59:29 [ERR] plugin: plugin server: accept unix /tmp/plugin235354968: use of closed network connection
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
And the error seen in /var/log/named/security.log is 25-Apr-2019 23:59:29.308 security: error: client @0x55fa8d04d560 127.0.0.1#37299: request has invalid signature: TSIG ns01.ops.example.com: tsig verify failure (BADKEY)
Using nsupdate -k /etc/bind/rndc.key -v commandfile works, where commmandfile has contents like:
server $SERVER_ADDRESS
debug yes
zone ops.example.com
update delete blah.example.com
update add blah.example.com 300 A 10.9.8.7
send
For what it's worth, I'm running terraform inside the same docker container that bind is running in.
For completeness, here's a sanitized copy of /etc/bind/named.conf
include "/etc/bind/rndc.key";
# Allow rndc management
controls
inet 127.0.0.1 port 953 allow 127.0.0.1; keys "ns01.ops.clh-int.com"; ;
;
acl "clients"
127.0.0.0/8;
;
########################
## options
########################
options
directory "/var/bind";
dump-file "/var/bind/cache_dump.db";
statistics-file "/var/bind/bind_statistics.txt";
memstatistics-file "/var/bind/bind_mem_statistics.txt";
version "private";
lame-ttl 180;
max-ncache-ttl 1800; # max time to cache negative NXDOMAIN answers
listen-on port 53 any; ;
listen-on-v6 none; ;
allow-transfer none; ;
pid-file "/var/run/named/named.pid";
recursion yes;
forwarders
8.8.8.8;
8.8.4.4;
;
;
########################
## zones
########################
zone "ops.example.com" IN
type master;
file "/etc/bind/ops.example.com.zone";
allow-transfer 127.0.0.1; ;
allow-update
key "ns01.ops.clh-int.com";
127.0.0.0/8;
;
notify yes;
;
########################
## logging
########################
logging
channel general
file "/var/log/named/general.log" versions 5 size 25m;
print-time yes;
print-category yes;
print-severity yes;
;
channel queries
file "/var/log/named/queries.log" versions 5 size 10m;
print-time yes;
print-category yes;
print-severity yes;
;
channel security
file "/var/log/named/security.log" versions 5;
print-time yes;
print-category yes;
print-severity yes;
;
category default general; ;
category general general; ;
category config general; ;
category network general; ;
category queries queries; ;
category security security; ;
;
I'm clearly missing something simple here, but can't see what it is.
bind terraform
bind terraform
asked Apr 26 at 0:18
Joe BlockJoe Block
54928
asked Apr 26 at 0:18
Joe BlockJoe Block
54928
asked Apr 26 at 0:18
Joe BlockJoe Block
54928
asked Apr 26 at 0:18
Joe BlockJoe Block
54928
asked Apr 26 at 0:18
Joe BlockJoe Block
54928
54928
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Looks at the first glance beeing different signature types. Bind key lists hmac-sha256, terraform lists hmac-md5. The error suites to that misconfiguration.
answered Apr 26 at 5:08
harguthargut
1,74217
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f964661%2fhaving-issues-dynamically-updating-bind-with-terraform-authentication-failures%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Looks at the first glance beeing different signature types. Bind key lists hmac-sha256, terraform lists hmac-md5. The error suites to that misconfiguration.
answered Apr 26 at 5:08
harguthargut
1,74217
add a comment |
Looks at the first glance beeing different signature types. Bind key lists hmac-sha256, terraform lists hmac-md5. The error suites to that misconfiguration.
answered Apr 26 at 5:08
harguthargut
1,74217
add a comment |
Looks at the first glance beeing different signature types. Bind key lists hmac-sha256, terraform lists hmac-md5. The error suites to that misconfiguration.
answered Apr 26 at 5:08
harguthargut
1,74217
Looks at the first glance beeing different signature types. Bind key lists hmac-sha256, terraform lists hmac-md5. The error suites to that misconfiguration.
answered Apr 26 at 5:08
harguthargut
1,74217
edited Apr 26 at 5:16
answered Apr 26 at 5:08
harguthargut
1,74217
answered Apr 26 at 5:08
harguthargut
1,74217
answered Apr 26 at 5:08
harguthargut
1,74217
1,74217
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f964661%2fhaving-issues-dynamically-updating-bind-with-terraform-authentication-failures%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
