Nsupdate, getting BADKEY error - dns

I'm trying to update a name using nsupdate executed from within the name server itself but I receive the error message
; TSIG error with server: tsig indicates error.
I created a key with dnssec-keygen -a hmac-md5 -b 512 -n HOST -r /dev/urandom dyn.mydomain.com. and copied the secret into the named.conf.
My named.conf is as follows
key "dyn.mydomain.com." {
algorithm hmac-md5;
secret "T2DjtGkGAzPAVrL6zar9GpxjNQ1iOjJzWKhPsF5gu0xQbaONhK7ZmC0n WKatgbGEHqla1uoxG3FdktQPolMIjQ==";
};
zone "dyn.mydomain.com." {
type master;
file "/var/cache/bind/dyn.mydomain.com.hosts";
allow-update {
key "dyn.mydomain.com.";
};
};
The file dyn.mydomain.com.hosts looks as follows:
$ORIGIN .
$TTL 8400 ; 2 hours 20 minutes
dyn.mydomain.com IN SOA ns. root. (
2007072513 ; serial
7200 ; refresh (2 hours)
900 ; retry (15 minutes)
1857600 ; expire (3 weeks 12 hours)
8400 ; minimum (2 hours 20 minutes)
)
NS ns.dyn.mydomain.com.
$ORIGIN dyn.mydomain.com.
ns A [ip of this name server]
$TTL 60 ; 1 minute
I restadt bind9, then use
nsupdate -v -d -k /etc/bind/Kdyn.mydomain.com.+157+53489.private
> server localhost
> zone dyn.mydomain.com
> update add test.dyn.mydomain.com IN A 80.80.80.80
> send
Sending update to 127.0.0.1#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 50553
;; flags: ; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;dyn.mydomain.com. IN SOA
;; UPDATE SECTION:
test.dyn.mydomain.com. 60 IN A 80.80.80.80
;; TSIG PSEUDOSECTION:
dyn.mydomain.com. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1325777156 300 16 5k3AkgLuCziNKtaeb39MRE== 50553 NOERROR 0
; TSIG error with server: tsig indicates error
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id: 50553
;; flags: qr ra ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; TSIG PSEUDOSECTION:
dyn.mydomain.com. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1325777156 300 0 50553 BADKEY 0
What can be the reason?


secret "T2DjtGkGAzPAVrL6zar9GpxjNQ1iOjJzWKhPsF5gu0xQbaONhK7ZmC0n WKatgbGEHqla1uoxG3FdktQPolMIjQ=="
seems to be wrong.
copy a secret following "Key:" from .private file.


I wanted to follow up here because I had this particular problem and I can explain the solution a little better than "your secret seems to be wrong" though I mean no offense. For some reason dnssec-keygen has inserted an errant space () into the middle of my private key. When I eliminated this space (as you have here in your secret), all was well in the world. Try getting rid of only the small space there in the middle of your secret:
secret "T2DjtGkGAzPAVrL6zar9GpxjNQ1iOjJzWKhPsF5gu0xQbaONhK7ZmC0n WKatgbGEHqla1uoxG3FdktQPolMIjQ==";
... might actually be:
secret "T2DjtGkGAzPAVrL6zar9GpxjNQ1iOjJzWKhPsF5gu0xQbaONhK7ZmC0nWKatgbGEHqla1uoxG3FdktQPolMIjQ==";
I realize this is an ancient question, but this particular problem helped me to solve my issue, which was the whitespace.


An other common problem, the key name does not match, the generated name:
The name given with dnssec-keygen MUST be the same with the named.conf.local's key name!
For example:
dnssec-keygen -a hmac-md5 -b 512 -n HOST -r /dev/urandom dyn.mydomain.com.
will not fly with the this configuration:
key "key.mydomain.com." {
algorithm hmac-md5;
secret "T2DjtGkGAzPAVrL6zar9GpxjNQ1iOjJzWKhPsF5gu0xQbaONhK7ZmC0n WKatgbGEHqla1uoxG3FdktQPolMIjQ==";
};
Trailing . for the key name on the end, seems not generate the problem.

Related

How can I list all the IPs on which youtube and netflix operate (effectively getting all DNS A and AAAA records)?

Youtube and Netflix operate on Content Distributed Networks probably. I realized that Youtube operates on Google and Netflix on Amazon Web services. So, I can't exactly get the IPs on which they operate. Youtube is under AS Number 15169 i.e belongs to google and Netflix responds using several ASNs belonging to AWS like 15609 and 14168.
So, IP ASN lookups like
'curl https://api.hackertarget.com/aslookup/?q=AS15169'
will provide wrong answers I think as they list all IPs of google also.
dig youtube.com
provides
; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> youtube.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36383
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;youtube.com. IN A
;; ANSWER SECTION:
youtube.com. 300 IN A 172.217.161.142
;; Query time: 599 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue May 19 04:21:33 IST 2020
;; MSG SIZE rcvd: 56
which is same as the one obtained by pinging youtube but the address changes if we change our location using VPNs
dig netflix.com
provides
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13053
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;netflix.com. IN A
;; ANSWER SECTION:
netflix.com. 60 IN A 54.71.93.100
netflix.com. 60 IN A 54.149.160.164
netflix.com. 60 IN A 35.166.180.66
netflix.com. 60 IN A 35.165.194.49
netflix.com. 60 IN A 52.41.168.84
netflix.com. 60 IN A 34.208.21.204
netflix.com. 60 IN A 54.68.234.134
netflix.com. 60 IN A 52.34.38.200
;; Query time: 581 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue May 19 04:21:14 IST 2020
;; MSG SIZE rcvd: 168
It also changes with VPNs.
It will be great if I can obtain confirmed IPs used by Youtube and Netflix.

How to properly point subdomain (w.example.com) to (ns1.w.example.com)

I want to point my subdomain (w.example.com) to (ns1.w.example.com)
NS w.example.com directs to ns1.w.example.com.
A ns1.w.example.com directs to 192.0.2.139
>> dig w.example.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> w.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20571
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;w.example.com. IN A
;; Query time: 195 msec
;; SERVER: 67.207.67.3#53(67.207.67.3)
;; WHEN: Thu Feb 14 12:10:13 UTC 2019
;; MSG SIZE rcvd: 43
Why is it breaking DNS resolution & let me know the proper way to point my subdomain (w.example.com) to (ns1.w.example.com)
And what it is the proper way to do this?

At the zone of domain.com you need the delegation AND a glue record. Respectively the forlast and last record here:
$ORIGIN example.com.
# NS auth.dns.example
# NS auth.dns.example
# NS auth.dns.example
...
w NS ns1.w
ns1.w A 192.0.2.139
The glue record is "out-of-zone" data, needed to pre-indicate the address of that nameserver - as without that info a resolver can't guess it.
At the zone of w.example.com you need to have
$ORIGIN w.example.com.
# NS ns1
ns1 A 192.0.2.139

DNS lookup getting Non-existent domain error

I have two mirrored forward DNS server(for simplifying, named f1, f2) which forward some domain request to my authoritative DNS server(also named a1, a2), I added some new domain to my authoritative DNS server, but when I nslookup the new domain from f1 or f2, I got Non-existent domain error like the following. If I nslookup from a1 or a2, it worked.
C:\Users\Liu.D.H>nslookup www.yqsbfiles.ynu.edu.cn
Server: ynu-public-dns-a.ynu.edu.cn
Address: 113.55.13.51
*** ynu-public-dns-a.ynu.edu.cn can't find www.yqsbfiles.ynu.edu.cn: Non-existent domain
C:\Users\Liu.D.H>
I also used dig to get more debug info.
C:\Users\Liu.D.H>dig www.yqsbfiles.ynu.edu.cn #113.55.13.52
; <<>> DiG 9.10.6 <<>> www.yqsbfiles.ynu.edu.cn #113.55.13.52
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28130
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.yqsbfiles.ynu.edu.cn. IN A
;; AUTHORITY SECTION:
ynu.edu.cn. 9936 IN SOA pridns.ynu.edu.cn. root.pridns.ynu.edu.cn. 2016062301 10800 3600 604800 86400
;; Query time: 0 msec
;; SERVER: 113.55.13.52#53(113.55.13.52)
;; WHEN: Fri Jun 08 10:44:35 China Standard Time 2018
;; MSG SIZE rcvd: 101
C:\Users\Liu.D.H>
But the strange thing was that if I did rndc flush on one of f1 or f2, then I can request successfully.
C:\Users\Liu.D.H>dig www.yqsbfiles.ynu.edu.cn #113.55.13.51
; <<>> DiG 9.10.6 <<>> www.yqsbfiles.ynu.edu.cn #113.55.13.51
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4168
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.yqsbfiles.ynu.edu.cn. IN A
;; ANSWER SECTION:
www.yqsbfiles.ynu.edu.cn. 86400 IN CNAME lb-http.ynu.edu.cn.
lb-http.ynu.edu.cn. 86393 IN A 202.203.208.41
;; AUTHORITY SECTION:
ynu.edu.cn. 86391 IN NS secdns.ynu.edu.cn.
ynu.edu.cn. 86391 IN NS pridns.ynu.edu.cn.
;; ADDITIONAL SECTION:
pridns.ynu.edu.cn. 86396 IN A 202.203.208.33
pridns.ynu.edu.cn. 86396 IN AAAA 2001:250:2800:2::33
secdns.ynu.edu.cn. 86391 IN A 202.203.208.34
secdns.ynu.edu.cn. 86391 IN AAAA 2001:250:2800:2::34
;; Query time: 2 msec
;; SERVER: 113.55.13.51#53(113.55.13.51)
;; WHEN: Fri Jun 08 10:43:02 China Standard Time 2018
;; MSG SIZE rcvd: 221
C:\Users\Liu.D.H>
I noticed that this two dig output had something different in AUTHORITY SECTION.
Any help would be appreciated. Thanks in advance.

You need to register the Authoritative Domain name server with the domain registrar for your new domain pointing to a1 and a2. After that it will work fine.

Fetch key value from string linux

I am doing:
dig #example.com hostname.example.com | grep ANSWER:
which return me following output
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
How can I use pipe to get the count of answer in variable.
var=$(dig #example.com hostname.example.com | grep ANSWER:|....?...)

Use awk. You can then loop through the columns, find the one with ANSWER:, and print the next column after it.
var=$(dig #example.com hostname.example.com |
awk '/ANSWER/ { for (i = 1; i < NF-1; i++) if ($i == "ANSWER:") { print $(i+1); break } }'

You can use awk like this:
dig #8.8.8.8 www.example.com | awk '/ANSWER:/{print $2}' RS=,
The key here is to use , as the input record separator. Look how the input records appear to awk when using RS=,:
; <<>> DiG 9.10.3-P4-Ubuntu <<>> #8.8.8.8 www.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY
status: NOERROR
id: 49711
;; flags: qr rd ra ad; QUERY: 1
ANSWER: 1 <----- Look here! The ANSWER: is a separate record
AUTHORITY: 0
ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0
flags:; udp: 512
;; QUESTION SECTION:
;www.example.com. IN A
;; ANSWER SECTION:
www.example.com. 74953 IN A 93.184.216.34
;; Query time: 43 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jun 27 03:40:13 CEST 2017
;; MSG SIZE rcvd: 60
The ANSWER: N section is a separate record. Now we can simply filter the /ANSWER:/ record by regex and print the second column of that row using print $2.
PS: A sed alternative would be:
dig #8.8.8.8 www.example.com | sed -rn '/(.*ANSWER: )([0-9]+)(.*)/s//\2/p'

how to configure regex for dns enum lookup?

Here is my zone file:
$TTL 1H
# IN SOA ns.e164.arpa. hostmaster.e164.arpa. (
199802151 ; serial, todays date + todays serial #
8H ; refresh, seconds
2H ; retry, seconds
4W ; expire, seconds
1D ) ; minimum, seconds
;
NS ns ; Inet Address of name server
;
;
2.8.0.2.0.8.0.0.8.5.6.1.9.4.e164.arpa. NAPTR 0 0 "u" "E2U+sip" "!^.*$!sip:+49165800802082#ibcf.core.test;user=phone!" .
2.8.0.2.0.8.0.0.8.5.6.1.9.4.e164.arpa. NAPTR 0 0 "u" "E2U+sip" "!^.*$!sip:+49165800802082#ibcf.core.test!" .
3.2.1.0.5.5.5.5.1.2.1.e164.arpa. NAPTR 0 0 "u" "E2U+pstn:tel" "!^.*$!tel:+1-215-555-0123;npdi;rn=+1-215-555-0199!" .
3.2.1.0.5.5.5.5.1.2.1.e164.arpa. NAPTR 10 100 "u" "E2U+pstn:sip" "!^.*$!sip:+1-215-555-0123;npdi;rn=+1-215-555-0199#ibcf.core.test;user=phone!".
;
;
; A records:
;
ns A 10.10.240.4
localhost A 127.0.0.1
ns AAAA 3001:10:240::4
Then i run:
dig naptr 3.2.1.0.5.5.5.5.1.2.1.e164.arpa #127.0.0.1
it works ok, the result is:
; <<>> DiG 9.9.4-P2 <<>> naptr 3.2.1.0.5.5.5.5.1.2.1.e164.arpa #127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40018
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;3.2.1.0.5.5.5.5.1.2.1.e164.arpa. IN NAPTR
;; ANSWER SECTION:
3.2.1.0.5.5.5.5.1.2.1.e164.arpa. 3600 IN NAPTR 10 100 "u" "E2U+pstn:sip" "!^.*$!sip:+1-215-555-0123\;npdi\;rn=+1-215-555-0199#ibcf.core.test\;user=phone!" .
3.2.1.0.5.5.5.5.1.2.1.e164.arpa. 3600 IN NAPTR 0 0 "u" "E2U+pstn:tel" "!^.*$!tel:+1-215-555-0123\;npdi\;rn=+1-215-555-0199!" .
;; AUTHORITY SECTION:
e164.arpa. 3600 IN NS ns.e164.arpa.
;; ADDITIONAL SECTION:
ns.e164.arpa. 3600 IN A 10.10.240.4
ns.e164.arpa. 3600 IN AAAA 3001:10:240::4
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Sep 19 10:42:20 CEST 2016
;; MSG SIZE rcvd: 313
My Question:
I have a lot of address like (3.2.1.0.5.5.5.5.1.2.1.e164.arpa.) to lookup, but i don't want write every record in this zone file.
Do dns support regex for zone configure file?
just like:
3.*.e164.arpa. NAPTR 10 100 "u" "E2U+pstn:sip" "!^.*$!sip:+1-215-555-0123;npdi;rn=+1-215-555-0199#ibcf.core.test;user=phone!".
The first char is 3 will match this rule.

Resources