[Freeipa-users] DNS SOA Records

Petr Spacek pspacek at redhat.com
Wed May 14 08:57:04 UTC 2014 

On 13.5.2014 21:32, Dmitri Pal wrote:
> On 05/13/2014 02:12 PM, Bob wrote:
>> I ran
>>
>> ipa dnszone-mod vh1.vzwnet.com <http://vh1.vzwnet.com>
>> --update-policy="grant bob-key name test.vh1.vzwnet.com.;"
>>
>> I then execute the nsupdate:
>>
>> [root at nj51rhidms16v ~]# ./bobtest.sh
>> ; TSIG error with server: tsig indicates error
>> update failed: NOTAUTH(BADKEY)
>>
>>
>> [root at nj51rhidms16v ~]# cat ./bobtest.sh
>> #!/bin/ksh
>> #
>> keyfile=bob-key:hkVEYuIRUGaytJRHPd0tww==
>> print "update add test.vh1.vzwnet.com <http://test.vh1.vzwnet.com> 90 CNAME
>> txslxngda5.nss.vzwnet.com <http://txslxngda5.nss.vzwnet.com>\n"|nsupdate -y
>> $keyfile
>>
>> [root at nj51rhidms16v log]# tail daemon
>> May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error processing
>> keytab file [default]: Principal
>> [host/nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM
>> <mailto:nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM>] was not found.
>> Unable to create GSSAPI-encrypted LDAP connection.
>> May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error writing to
>> key table
>> May 13 04:45:42 nj51rhidms16v rhnsd[12406]: running program /usr/sbin/rhn_check
>> May 13 08:45:42 nj51rhidms16v rhnsd[12962]: running program /usr/sbin/rhn_check
>> May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error processing
>> keytab file [default]: Principal
>> [host/nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM
>> <mailto:nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM>] was not found.
>> Unable to create GSSAPI-encrypted LDAP connection.
>> May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error writing to
>> key table
>> May 13 12:45:42 nj51rhidms16v rhnsd[13543]: running program /usr/sbin/rhn_check
>> May 13 14:07:59 nj51rhidms16v named[27438]: client 10.194.96.47#15739:
All errors above are irrelevant to nsupdate. It points to an problem with SSSD 
configuration but this should not affect nsupdate with TSIG at all.

>> request has invalid signature: TSIG bob-key: tsig verify failure (BADKEY)
>> May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error processing
My best guess is that you have modified update-policy to reference key 
"bob-key" but the key is not defined in named.conf.

Unfortunately, IPA doesn't support TSIG keys in LDAP. You have to define all 
keys on all servers in named.conf manually:

Add something like:

key "bob-key" {
           algorithm hmac-md5;
           secret "<your-secret>";
};

and restart named.

Then it should work.

If you want to see support for TSIG keys in LDAP then please open a FreeIPA 
ticket:
https://fedorahosted.org/freeipa/newticket

To speed things up, please describe your use case (in detail) and propose user 
interface.


Also, please note that hmac-md5 is not "the most secure algorithm in the 
world". GSS-TSIG should be more secure. I would recommend you to gradually 
migrate from TSIG to GSS-TSIG.

Have a nice day!

-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list