Re: Changes to named between 7.0 and 9.2?

To: brad%anduin.eldar.org@localhost (Brad Spencer)
Subject: Re: Changes to named between 7.0 and 9.2?
From: steve%prd.co.uk@localhost (Steve Blinkhorn)
Date: Mon, 9 May 2022 13:53:34 +0000 (UTC)

I only have NetBSD and Windows 10 machines.  I have tried the nsupdate from all my NetBSD machiness, a mix of: i386-7.0 amd64-7.0 amd64-8.0_RC1
and amd64_9.2.  It only fails from the 9.2 machines, which suggests to
me that the server setup is fine, but something is wrong with openssl
on my 9.2 installations.  In my named.conf file I have:
        allow-update {key "update";};
to grant the update permission for testing purposes.

I can well believe that something is wrong with the 9.2 installations
(therre have been other problems) and that maybe a configurtion file
needs attention.  But what and where?

--
Steve Blinkhorn <steve%prd.co.uk@localhost>

You wrote:
> 
> steve%prd.co.uk@localhost (Steve Blinkhorn) writes:
> 
> > So I ran nsupdate on two of my colo servers, one has been upgraded to 9.2, the other is
> > awaiting upgrade and is currently on 8.0_RC1.  I used a non-root account and attempted
> > to add the same TXT record to my primary DNS server, using copies of the same key as in
> > my acme.sh setup.  On 9.2 it failed with a 'bad TSIG' message, on 8.0_RC1 it succeeded.
> >
> > I was badly bitten a while back with an unremaked md5 change when I bumped my Tcl/Tk
> > scripts (of which I have many) from 8.4 to 8.6 and eventually discovered that the
> > default output from md5 was now binary, upper-case hex was an option, when previously
> > lower-case hex was the default.  Lots of editing and testing needed at no notice.
> >
> > Has somethng similar happened here?  The problem appears to be compatibility between 9.2
> > and previous releases, and acme.sh seems to be exonerated.
> >
> > --
> > Steve Blinkhorn <steve%prd.co.uk@localhost>
> 
> 
> The example I provided was actually from an ArchLinux VM.  I currently
> do not have a very recent 9.2 NetBSD install to test with, but I do have
> a recent NetBSD-current system.  In both the ArchLinux and -current
> case, the nsupdate test worked as expected.  I also tried my older
> 9.0_STABLE system and it also worked fine.  While it can be imagined
> that what you are suggesting is possible, I could not reproduce the
> problem using the simple test that was provided (I may have a 9.2 system
> available at some point, but not right away).
> 
> You should actually be able to perform this test from literally any
> system type that provides nsupdate (literally anything that can send
> packets on port 53 and has the tsig key ... subject to the grant
> restrictions and/or firewall rules you may have on your DNS server).  If
> you find that only the 9.2 system has problems then a PR should probably
> be filed to get the attention of folks.
> 
> 
> -- 
> Brad Spencer - brad%anduin.eldar.org@localhost - KC8VKS - http://anduin.eldar.org
>

Follow-Ups:
- Re: Changes to named between 7.0 and 9.2?
  - From: Brad Spencer

References:
- Re: Changes to named between 7.0 and 9.2?
  - From: Brad Spencer

Prev by Date: Re: Changes to named between 7.0 and 9.2?
Next by Date: Re: Changes to named between 7.0 and 9.2?
Previous by Thread: Re: Changes to named between 7.0 and 9.2?
Next by Thread: Re: Changes to named between 7.0 and 9.2?
Indexes:

Home | Main Index | Thread Index | Old Index