Thank you, -d surfaced the issue - now to decide what to do about it...
________________________________
From: bind-users <bind-users-boun...@lists.isc.org> on behalf of Kevin Darcy
<kevin.da...@fcagroup.com>
Sent: Tuesday, August 4, 2020 3:28 PM
To: bind-users@lists.isc.org <bind-users@lists.isc.org>
Subject: [EXTERNAL] Re: CNAME restrictions
CAUTION: This email originated from outside of the organization. Do not click
links or open attachments unless you recognize the sender and know the content
is safe.
[ Classification Level: GENERAL BUSINESS ]
Offhand, it looks like the server side is configured to only allow
authenticated updates, but you're sending an unauthenticated one.
A more nuanced issue might be if the ID you're running the nsupdate as, can't
read the key files, so even though you may have intended the update to be
signed, it actually wasn't.
Did you try adding a -d to the nsupdate command? If so, does the debug output
give any clues?
- Kevin
On Tue, Aug 4, 2020 at 1:30 PM Leroy Tennison
<le...@datavoiceint.com<mailto:le...@datavoiceint.com>> wrote:
I have a situation where, due to the system's location (IP subnet), its DNS
name is <webserver>.<internal
subdomain>.datavoiceint.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fdatavoiceint.com&c=E,1,0gSBGzOV_9iJ4F-vOfqNwsk4Kjf6AQvm_Nt3gjCZAng77d3CYgiVYS_-yNeGK3M-LLCuD8B-erwPcTNMkAxJaTdxayw90W-cIVfFe6TBpYonsjiZafcGPSBGsgSS&typo=1>.
We have a certificate for
*.datavoiceint.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fdatavoiceint.com&c=E,1,e3FlEDT18o4d4tQSRMvBH_pJRuK7156_n6wtGIzdpwjQt88Y_j375seki-O4IjtqsVLmsYGablGT9qnLV7jap1khSDSeV8Qt3U6JQ73WAhGbMMeoi10k&typo=1>
which we prefer to use instead of having to acquire a certificate for
<internal
subdomain>.datavoiceint.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fdatavoiceint.com&c=E,1,6-PPelQOIFl5wSdbP2RNe2N6pkrhqneq6Ezfx3p5-pXYgNrt6J521WJEJJKFmvxtsjfuSzRbWHJnSbpTUyu6XqeAeCg6OO0-KzDJiXfe1ccW7qg9pN7g2CgI&typo=1>
since this is a one-off internal-only web server. Our (ISC) DNS servers
(version 9.10.3-P4-Ubuntu that comes with Ubuntu 16.04) serve both domains. I
thought a solution would be to use a CNAME but, when I attempt this (via
nsupdate with the update key which works for A and PTR adds and deletes) I get
(on "send"):
TSIG error with server: expected a TSIG or SIG(0)
update failed: NOTIMP
What I tried (on both <internal
subdomain>.datavoiceint.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fdatavoiceint.com&c=E,1,WqKTpCcatx2SaWvqy4SyBLF0mNa1-gW8LKH80Ec2eWBinE3E7c5lEHLpjRuSiRnF_xc32FO_Ke1HOfMD3_RKS1c_-Gb4quMBWrNQrHh74wi-HJkg&typo=1>.
and
datavoiceint.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fdatavoiceint.com&c=E,1,gDRbc9b7Hocp2adLEqMg2H4aBk9B80nSlj9DRUkwds45t2gqX4OYSPpS7T0rTc7SpPNhIUwv5Qxh01PYiNrEy5_9cB7--c16EqfcCxXOM4w,&typo=1>.)
was:
update add
<webserver>.datavoiceint.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fdatavoiceint.com&c=E,1,LMSRr0xOj2dbcOJlyj5U8VIFyRH5ecttdkU4Je538OMUPmbLfqBLc5uT1bH4P4-AQWj7eME7APcmrfzjgPYOORSQ1gGlo41FqXQQU67iTV6fGo1tYi-G3-c,&typo=1>.
86400 IN CNAME <webserver>.<internal
subdomain>.datavoiceint.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fdatavoiceint.com&c=E,1,K69ghu-8VkYZl4XrnMCfdzlp4UUfK2BGmh9Q9xWS3VzeXkVGOtpJequZa-J_gQCYM2J904MVlyeH5VboQjCatM-y6QbI5FtcIV32w9Cx&typo=1>.
Apparently I'm mis-understanding CNAME usage, if I actually can use a CNAME
record what should the format be (or do I need to configure bind differently to
use it since part of the reply is NOTIMP)? If that's not possible due to CNAME
restrictions are there any alternatives?
Thanks for your help.
Harriscomputer
Leroy Tennison
Network Information/Cyber Security Specialist
E: le...@datavoiceint.com<mailto:le...@datavoiceint.com>
P:
[cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG]
2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com<http://www..com>
This message has been sent on behalf of a company that is part of the Harris
Operating Group of Constellation Software Inc.
If you prefer not to be contacted by Harris Operating Group please notify
us<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fsubscribe.harriscomputer.com%2f&c=E,1,tDHN8eusdo1dmAH7sVm4QCbMt63IMR6Im_-2r3epFrKvWDlRIiNUdnjRrqlc7YbDFZi26vf4PH2bi8fXxWwxgooQFPSr0rZ89dfsdV3EvGhNQhzOxc6dkeUO&typo=1>.
This message is intended exclusively for the individual or entity to which it
is addressed. This communication may contain information that is proprietary,
privileged or confidential or otherwise legally exempt from disclosure. If you
are not the named addressee, you are not authorized to read, print, retain,
copy or disseminate this message or any part of it. If you have received this
message in error, please notify the sender immediately by e-mail and delete all
copies of the message.
_______________________________________________
Please visit
https://lists.isc.org/mailman/listinfo/bind-users<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2flists.isc.org%2fmailman%2flistinfo%2fbind-users&c=E,1,CDMflPVUr90kiYfSOvXo00T7TBy9AFUx6FdLRdQBJa-nfuss1-6v2StCLMjo5N7XEWIzaAMYqdLxCJm19LkU41PJ7S70tpWHEbsHm_wRreEtphpp0w,,&typo=1>
to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at
https://www.isc.org/contact/<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.isc.org%2fcontact%2f&c=E,1,zAjBUTG3aODlmEnA9xOCfIc-FLN7uOu1DJKXw8Di5qzNFwVHyjgzPL-Fz4AGawuWpUobdCCcvjoC2yzfGz6u5wChvrFo_HlzGCt2MGZRPraxh9UnfgFFPElXjA,,&typo=1>
for more information.
bind-users mailing list
bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2flists.isc.org%2fmailman%2flistinfo%2fbind-users&c=E,1,S19JJd3-XjKGpp0iiFqcNeZ9ZhMDJTJXXYfdHBbUbJTkidDuGUItxy4j8ymlHdHl1DtSX9Y5wSZGiz_-fngKSPWyp8oCKUEsRXNwiJ2pcgcpoug,&typo=1>
Harriscomputer
Leroy Tennison
Network Information/Cyber Security Specialist
E: le...@datavoiceint.com
P:
[cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG]
2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com<http://www..com>
This message has been sent on behalf of a company that is part of the Harris
Operating Group of Constellation Software Inc.
If you prefer not to be contacted by Harris Operating Group please notify
us<http://subscribe.harriscomputer.com/>.
This message is intended exclusively for the individual or entity to which it
is addressed. This communication may contain information that is proprietary,
privileged or confidential or otherwise legally exempt from disclosure. If you
are not the named addressee, you are not authorized to read, print, retain,
copy or disseminate this message or any part of it. If you have received this
message in error, please notify the sender immediately by e-mail and delete all
copies of the message.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
