Having issues dynamically updating bind with terraform - authentication failuresDNS zones and named...
Crossed out red box fitting tightly around image
Difficulty accessing OpenType ligatures with LuaLaTex and fontspec
Older movie/show about humans on derelict alien warship which refuels by passing through a star
How important is it that $TERM is correct?
What is purpose of DB Browser(dbbrowser.aspx) under admin tool?
Suing a Police Officer Instead of the Police Department
Island of Knights, Knaves and Spies
Is there metaphorical meaning of "aus der Haft entlassen"?
Can someone publish a story that happened to you?
How do I check if a string is entirely made of the same substring?
As an international instructor, should I openly talk about my accent?
Contradiction proof for inequality of P and NP?
Do I need to watch Ant-Man and the Wasp and Captain Marvel before watching Avengers: Endgame?
What is the term for a person whose job is to place products on shelves in stores?
Find a stone which is not the lightest one
Co-worker works way more than he should
All ASCII characters with a given bit count
How do I deal with a coworker that keeps asking to make small superficial changes to a report, and it is seriously triggering my anxiety?
Help with my training data
What is the best way to deal with NPC-NPC combat?
What to do with someone that cheated their way through university and a PhD program?
Unknown code in script
Find the identical rows in a matrix
How to keep bees out of canned beverages?
Having issues dynamically updating bind with terraform - authentication failures
DNS zones and named filesBind9 zone filesConfigure BIND with database backend and DLZ supportsetting up bind to work with nsupdate (SERVFAIL)RHEL BIND Server Intermittent errorBIND permission errorsDNS BIND on CENTOS 6.3 and domain nameserversubuntu 14.04 Bind DNS does not work from outside for some of my domainsnsupdate communicate with server failedBind, force zone update on slave
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I'm trying to update a domain hosted with bind using terraform, and getting tsig verify failures in /var/log/named/security.log, but it works when I use nsupdate.
I'm generating a key using tsig-keygen -a HMAC-MD5 ns01.ops.example.com > /etc/bind/rndc.key, and my named.conf includes:
# Allow rndc management
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "ns01.ops.example.com"; };
};
I parse the key data out of rndc.key, and create a dnskey.tf file with
# Configure the DNS Provider
provider "dns" {
update {
server = "127.0.0.1"
key_algorithm = "hmac-md5"
key_name = "ns01.ops.clh-int.com."
key_secret = "bI40GY5fMZxvz7/NlGwA4w=="
}
}
resource "dns_a_record_set" "cthulhu" {
zone = "ops.example.com."
name = "cthulhu"
addresses = [ "192.168.1.1" ]
ttl = 180
}
Which matches the contents of /etc/bind/rndc.key
key "ns01.ops.example.com" {
algorithm hmac-sha256;
secret "bI40GY5fMZxvz7/NlGwA4w==";
};
When I run terraform apply, I get the following error message:
Error: Error applying plan:
1 error(s) occurred:
* dns_a_record_set.cthulhu: 1 error(s) occurred:
* dns_a_record_set.cthulhu: Error updating DNS record: dns: bad authentication
2019/04/25 23:59:29 [DEBUG] plugin: waiting for all plugin processes to complete...
2019-04-25T23:59:29.319Z [DEBUG] plugin.terraform-provider-dns_v2.1.0_x4: 2019/04/25 23:59:29 [ERR] plugin: plugin server: accept unix /tmp/plugin235354968: use of closed network connection
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
And the error seen in /var/log/named/security.log is 25-Apr-2019 23:59:29.308 security: error: client @0x55fa8d04d560 127.0.0.1#37299: request has invalid signature: TSIG ns01.ops.example.com: tsig verify failure (BADKEY)
Using nsupdate -k /etc/bind/rndc.key -v commandfile works, where commmandfile has contents like:
server $SERVER_ADDRESS
debug yes
zone ops.example.com
update delete blah.example.com
update add blah.example.com 300 A 10.9.8.7
send
For what it's worth, I'm running terraform inside the same docker container that bind is running in.
For completeness, here's a sanitized copy of /etc/bind/named.conf
include "/etc/bind/rndc.key";
# Allow rndc management
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "ns01.ops.clh-int.com"; };
};
acl "clients" {
127.0.0.0/8;
};
########################
## options
########################
options {
directory "/var/bind";
dump-file "/var/bind/cache_dump.db";
statistics-file "/var/bind/bind_statistics.txt";
memstatistics-file "/var/bind/bind_mem_statistics.txt";
version "private";
lame-ttl 180;
max-ncache-ttl 1800; # max time to cache negative NXDOMAIN answers
listen-on port 53 { any; };
listen-on-v6 { none; };
allow-transfer { none; };
pid-file "/var/run/named/named.pid";
recursion yes;
forwarders {
8.8.8.8;
8.8.4.4;
};
};
########################
## zones
########################
zone "ops.example.com" IN {
type master;
file "/etc/bind/ops.example.com.zone";
allow-transfer { 127.0.0.1; };
allow-update {
key "ns01.ops.clh-int.com";
127.0.0.0/8;
};
notify yes;
};
########################
## logging
########################
logging {
channel general {
file "/var/log/named/general.log" versions 5 size 25m;
print-time yes;
print-category yes;
print-severity yes;
};
channel queries {
file "/var/log/named/queries.log" versions 5 size 10m;
print-time yes;
print-category yes;
print-severity yes;
};
channel security {
file "/var/log/named/security.log" versions 5;
print-time yes;
print-category yes;
print-severity yes;
};
category default { general; };
category general { general; };
category config { general; };
category network { general; };
category queries { queries; };
category security { security; };
};
I'm clearly missing something simple here, but can't see what it is.
bind terraform
asked 47 secs ago
Joe BlockJoe Block
53427
add a comment |
I'm trying to update a domain hosted with bind using terraform, and getting tsig verify failures in /var/log/named/security.log, but it works when I use nsupdate.
I'm generating a key using tsig-keygen -a HMAC-MD5 ns01.ops.example.com > /etc/bind/rndc.key, and my named.conf includes:
# Allow rndc management
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "ns01.ops.example.com"; };
};
I parse the key data out of rndc.key, and create a dnskey.tf file with
# Configure the DNS Provider
provider "dns" {
update {
server = "127.0.0.1"
key_algorithm = "hmac-md5"
key_name = "ns01.ops.clh-int.com."
key_secret = "bI40GY5fMZxvz7/NlGwA4w=="
}
}
resource "dns_a_record_set" "cthulhu" {
zone = "ops.example.com."
name = "cthulhu"
addresses = [ "192.168.1.1" ]
ttl = 180
}
Which matches the contents of /etc/bind/rndc.key
key "ns01.ops.example.com" {
algorithm hmac-sha256;
secret "bI40GY5fMZxvz7/NlGwA4w==";
};
When I run terraform apply, I get the following error message:
Error: Error applying plan:
1 error(s) occurred:
* dns_a_record_set.cthulhu: 1 error(s) occurred:
* dns_a_record_set.cthulhu: Error updating DNS record: dns: bad authentication
2019/04/25 23:59:29 [DEBUG] plugin: waiting for all plugin processes to complete...
2019-04-25T23:59:29.319Z [DEBUG] plugin.terraform-provider-dns_v2.1.0_x4: 2019/04/25 23:59:29 [ERR] plugin: plugin server: accept unix /tmp/plugin235354968: use of closed network connection
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
And the error seen in /var/log/named/security.log is 25-Apr-2019 23:59:29.308 security: error: client @0x55fa8d04d560 127.0.0.1#37299: request has invalid signature: TSIG ns01.ops.example.com: tsig verify failure (BADKEY)
Using nsupdate -k /etc/bind/rndc.key -v commandfile works, where commmandfile has contents like:
server $SERVER_ADDRESS
debug yes
zone ops.example.com
update delete blah.example.com
update add blah.example.com 300 A 10.9.8.7
send
For what it's worth, I'm running terraform inside the same docker container that bind is running in.
For completeness, here's a sanitized copy of /etc/bind/named.conf
include "/etc/bind/rndc.key";
# Allow rndc management
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "ns01.ops.clh-int.com"; };
};
acl "clients" {
127.0.0.0/8;
};
########################
## options
########################
options {
directory "/var/bind";
dump-file "/var/bind/cache_dump.db";
statistics-file "/var/bind/bind_statistics.txt";
memstatistics-file "/var/bind/bind_mem_statistics.txt";
version "private";
lame-ttl 180;
max-ncache-ttl 1800; # max time to cache negative NXDOMAIN answers
listen-on port 53 { any; };
listen-on-v6 { none; };
allow-transfer { none; };
pid-file "/var/run/named/named.pid";
recursion yes;
forwarders {
8.8.8.8;
8.8.4.4;
};
};
########################
## zones
########################
zone "ops.example.com" IN {
type master;
file "/etc/bind/ops.example.com.zone";
allow-transfer { 127.0.0.1; };
allow-update {
key "ns01.ops.clh-int.com";
127.0.0.0/8;
};
notify yes;
};
########################
## logging
########################
logging {
channel general {
file "/var/log/named/general.log" versions 5 size 25m;
print-time yes;
print-category yes;
print-severity yes;
};
channel queries {
file "/var/log/named/queries.log" versions 5 size 10m;
print-time yes;
print-category yes;
print-severity yes;
};
channel security {
file "/var/log/named/security.log" versions 5;
print-time yes;
print-category yes;
print-severity yes;
};
category default { general; };
category general { general; };
category config { general; };
category network { general; };
category queries { queries; };
category security { security; };
};
I'm clearly missing something simple here, but can't see what it is.
bind terraform
asked 47 secs ago
Joe BlockJoe Block
53427
add a comment |
I'm trying to update a domain hosted with bind using terraform, and getting tsig verify failures in /var/log/named/security.log, but it works when I use nsupdate.
I'm generating a key using tsig-keygen -a HMAC-MD5 ns01.ops.example.com > /etc/bind/rndc.key, and my named.conf includes:
# Allow rndc management
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "ns01.ops.example.com"; };
};
I parse the key data out of rndc.key, and create a dnskey.tf file with
# Configure the DNS Provider
provider "dns" {
update {
server = "127.0.0.1"
key_algorithm = "hmac-md5"
key_name = "ns01.ops.clh-int.com."
key_secret = "bI40GY5fMZxvz7/NlGwA4w=="
}
}
resource "dns_a_record_set" "cthulhu" {
zone = "ops.example.com."
name = "cthulhu"
addresses = [ "192.168.1.1" ]
ttl = 180
}
Which matches the contents of /etc/bind/rndc.key
key "ns01.ops.example.com" {
algorithm hmac-sha256;
secret "bI40GY5fMZxvz7/NlGwA4w==";
};
When I run terraform apply, I get the following error message:
Error: Error applying plan:
1 error(s) occurred:
* dns_a_record_set.cthulhu: 1 error(s) occurred:
* dns_a_record_set.cthulhu: Error updating DNS record: dns: bad authentication
2019/04/25 23:59:29 [DEBUG] plugin: waiting for all plugin processes to complete...
2019-04-25T23:59:29.319Z [DEBUG] plugin.terraform-provider-dns_v2.1.0_x4: 2019/04/25 23:59:29 [ERR] plugin: plugin server: accept unix /tmp/plugin235354968: use of closed network connection
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
And the error seen in /var/log/named/security.log is 25-Apr-2019 23:59:29.308 security: error: client @0x55fa8d04d560 127.0.0.1#37299: request has invalid signature: TSIG ns01.ops.example.com: tsig verify failure (BADKEY)
Using nsupdate -k /etc/bind/rndc.key -v commandfile works, where commmandfile has contents like:
server $SERVER_ADDRESS
debug yes
zone ops.example.com
update delete blah.example.com
update add blah.example.com 300 A 10.9.8.7
send
For what it's worth, I'm running terraform inside the same docker container that bind is running in.
For completeness, here's a sanitized copy of /etc/bind/named.conf
include "/etc/bind/rndc.key";
# Allow rndc management
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "ns01.ops.clh-int.com"; };
};
acl "clients" {
127.0.0.0/8;
};
########################
## options
########################
options {
directory "/var/bind";
dump-file "/var/bind/cache_dump.db";
statistics-file "/var/bind/bind_statistics.txt";
memstatistics-file "/var/bind/bind_mem_statistics.txt";
version "private";
lame-ttl 180;
max-ncache-ttl 1800; # max time to cache negative NXDOMAIN answers
listen-on port 53 { any; };
listen-on-v6 { none; };
allow-transfer { none; };
pid-file "/var/run/named/named.pid";
recursion yes;
forwarders {
8.8.8.8;
8.8.4.4;
};
};
########################
## zones
########################
zone "ops.example.com" IN {
type master;
file "/etc/bind/ops.example.com.zone";
allow-transfer { 127.0.0.1; };
allow-update {
key "ns01.ops.clh-int.com";
127.0.0.0/8;
};
notify yes;
};
########################
## logging
########################
logging {
channel general {
file "/var/log/named/general.log" versions 5 size 25m;
print-time yes;
print-category yes;
print-severity yes;
};
channel queries {
file "/var/log/named/queries.log" versions 5 size 10m;
print-time yes;
print-category yes;
print-severity yes;
};
channel security {
file "/var/log/named/security.log" versions 5;
print-time yes;
print-category yes;
print-severity yes;
};
category default { general; };
category general { general; };
category config { general; };
category network { general; };
category queries { queries; };
category security { security; };
};
I'm clearly missing something simple here, but can't see what it is.
bind terraform
asked 47 secs ago
Joe BlockJoe Block
53427
I'm trying to update a domain hosted with bind using terraform, and getting tsig verify failures in /var/log/named/security.log, but it works when I use nsupdate.
I'm generating a key using tsig-keygen -a HMAC-MD5 ns01.ops.example.com > /etc/bind/rndc.key, and my named.conf includes:
# Allow rndc management
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "ns01.ops.example.com"; };
};
I parse the key data out of rndc.key, and create a dnskey.tf file with
# Configure the DNS Provider
provider "dns" {
update {
server = "127.0.0.1"
key_algorithm = "hmac-md5"
key_name = "ns01.ops.clh-int.com."
key_secret = "bI40GY5fMZxvz7/NlGwA4w=="
}
}
resource "dns_a_record_set" "cthulhu" {
zone = "ops.example.com."
name = "cthulhu"
addresses = [ "192.168.1.1" ]
ttl = 180
}
Which matches the contents of /etc/bind/rndc.key
key "ns01.ops.example.com" {
algorithm hmac-sha256;
secret "bI40GY5fMZxvz7/NlGwA4w==";
};
When I run terraform apply, I get the following error message:
Error: Error applying plan:
1 error(s) occurred:
* dns_a_record_set.cthulhu: 1 error(s) occurred:
* dns_a_record_set.cthulhu: Error updating DNS record: dns: bad authentication
2019/04/25 23:59:29 [DEBUG] plugin: waiting for all plugin processes to complete...
2019-04-25T23:59:29.319Z [DEBUG] plugin.terraform-provider-dns_v2.1.0_x4: 2019/04/25 23:59:29 [ERR] plugin: plugin server: accept unix /tmp/plugin235354968: use of closed network connection
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
And the error seen in /var/log/named/security.log is 25-Apr-2019 23:59:29.308 security: error: client @0x55fa8d04d560 127.0.0.1#37299: request has invalid signature: TSIG ns01.ops.example.com: tsig verify failure (BADKEY)
Using nsupdate -k /etc/bind/rndc.key -v commandfile works, where commmandfile has contents like:
server $SERVER_ADDRESS
debug yes
zone ops.example.com
update delete blah.example.com
update add blah.example.com 300 A 10.9.8.7
send
For what it's worth, I'm running terraform inside the same docker container that bind is running in.
For completeness, here's a sanitized copy of /etc/bind/named.conf
include "/etc/bind/rndc.key";
# Allow rndc management
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "ns01.ops.clh-int.com"; };
};
acl "clients" {
127.0.0.0/8;
};
########################
## options
########################
options {
directory "/var/bind";
dump-file "/var/bind/cache_dump.db";
statistics-file "/var/bind/bind_statistics.txt";
memstatistics-file "/var/bind/bind_mem_statistics.txt";
version "private";
lame-ttl 180;
max-ncache-ttl 1800; # max time to cache negative NXDOMAIN answers
listen-on port 53 { any; };
listen-on-v6 { none; };
allow-transfer { none; };
pid-file "/var/run/named/named.pid";
recursion yes;
forwarders {
8.8.8.8;
8.8.4.4;
};
};
########################
## zones
########################
zone "ops.example.com" IN {
type master;
file "/etc/bind/ops.example.com.zone";
allow-transfer { 127.0.0.1; };
allow-update {
key "ns01.ops.clh-int.com";
127.0.0.0/8;
};
notify yes;
};
########################
## logging
########################
logging {
channel general {
file "/var/log/named/general.log" versions 5 size 25m;
print-time yes;
print-category yes;
print-severity yes;
};
channel queries {
file "/var/log/named/queries.log" versions 5 size 10m;
print-time yes;
print-category yes;
print-severity yes;
};
channel security {
file "/var/log/named/security.log" versions 5;
print-time yes;
print-category yes;
print-severity yes;
};
category default { general; };
category general { general; };
category config { general; };
category network { general; };
category queries { queries; };
category security { security; };
};
I'm clearly missing something simple here, but can't see what it is.
bind terraform
bind terraform
asked 47 secs ago
Joe BlockJoe Block
53427
asked 47 secs ago
Joe BlockJoe Block
53427
asked 47 secs ago
Joe BlockJoe Block
53427
asked 47 secs ago
Joe BlockJoe Block
53427
asked 47 secs ago
Joe BlockJoe Block
53427
53427
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f964661%2fhaving-issues-dynamically-updating-bind-with-terraform-authentication-failures%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f964661%2fhaving-issues-dynamically-updating-bind-with-terraform-authentication-failures%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
