nsupdate answering SERVFAIL

Question

i've been trying to set up a domain that can be updated. i'm using bind9, i've used

ddns-confgen -a hmac-sha512 -k <keyname>

to generate my key, i've added the key in /etc/bind/keys.local

key "<keyname>" {
        algorithm hmac-sha512;
        secret "<secret>";
};

my named.conf file looks like this:

include "/etc/bind/keys.local";
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

my named.conf.local file looks like this:

zone "<subdomain_name>" {
    type master;
    update-policy {
        grant <keyname> zonesub ANY;
    };
    file "<zone_file>"; # zone file path
};

zone "<reverse_zone>.in-addr.arpa" {
    type master;
    update-policy {
        grant <keyname> zonesub ANY;
    };
    file "<reverse_zone_file>";
};

am i missing something obvious? because when i do:

sudo nsupdate -k <keyfile>
server <dns_server>
zone <subdomain_name>
update add newhost.<subdomain_name> 86400 A <newhost_ip>
send

i end up getting a SERVFAIL response...

dig <dns_server>

and

ping <dns_server>

work correctly, i just cannot get DDNS to work. i've tried responses in other threads like this one, all end up giving me SERVFAIL regardless of what i try. thanks in advance for any suggestions.

edit1: this is the corresponding logs on the server-side when i attempt an nsupdate:

signer "<keyname>" approved
apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/etc/bind/zones/<zone_file>" pid=18799 comm="named" requested_mask="c" denied_mask="c" fsuid=112 ouid=112
client <client_ip>#62287/key <keyname>: signer "<keyname>" approved
client 172.30.2.253#62287/key <keyname>: updating zone '<zonename>/IN': adding an RR at 'host3.<zonename>' A <new_host_ip>
/etc/bind/zones/<zone_file>: create: permission denied
client <client_ip>#62287/key <keyname>: updating zone 'aci.riviera.local/IN': error: journal open failed: unexpected error

edit2:

turns out bind group did not have write permissions on /etc/bind ...

sudo chown -R bind:bind /etc/bind

fixed the problem

AFAIK a SERVFAIL is the response a client gets, is there a corresponding error on the server side? You can increase the verbosity and separate out the specific update events to its own log file, which is useful if you have a busy server : http://www.zytrax.com/books/dns/ch7/logging.html and for instance https://stackoverflow.com/a/12114139/2952385 — HBruijn, Jul 10 '18 at 10:19
OK, so your logs say you have a permission problem. What are the permissions? — Michael Hampton, Jul 10 '18 at 13:26
all files in /etc/bind and /etc/bind/zones look like this: -rw-r--r-- 1 root bind 168 Jul 10 15:29 keys.local — Mazimer, Jul 10 '18 at 13:34

score 4 · Answer 1 · answered Jul 10 '18 at 14:33

Thank you for acting like a sysadmin and posting your server logs rather trying to debug server issues from a client utility alone.

apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/etc/bind/zones/" pid=18799 comm="named" requested_mask="c" denied_mask="c" fsuid=112 ouid=112

That seems to indicate that Apparmor is blocking your name server from creating a file in /etc/bind/zones.

The bind name server needs a place to persistently store (in files) dynamic updates and does that by creating .jnl journal files in the directory where your zone files are stored. Apparmor is blocking that operation because, in general, it is a security violation when daemons and services change their own runtime configuration.

Possible solutions:

move your zone files to a directory with the correct AppArmor protections.
On my Ubuntu 16.04 /etc/apparmor.d/usr.sbin.named designates
/var/lib/bind/ as the conventional alternative to /etc/bind for dynamically updated zone (and journal) files.
Override the default AppArmor protections.

Create a local override and allow dynamic updates in /etc/bind/zones:

# /etc/apparmor.d/local/usr.sbin.named 

/etc/bind/zones/** rw,

nsupdate answering SERVFAIL

1 Answers1