nsupdate communicate with server failed

Question

I have installed gnudip (a ddns server) on my server, then added 2 zones for 2 domains for it to be dynamically updated.

I am using Centos 7, BIND 9

configed BIND9 as follow

/etc/named.conf root:named

include "/etc/named/gnudip-key";
// zone ddns.domain1.com
zone "ddns.domain1.com" in {
    type master;
    file "/etc/named/db.ddns.domain1.com";
    allow-query {any;};
    #allow-update { key gnudip-key;};
    update-policy { grant gnudip-key subdomain ddns.domain1.com; };
    };
// zone ddns.domain2.com
zone "ddns.domain2.com" in {
    type master;
    file "/etc/named/db.ddns.domain2.com";
    allow-query {any;};
    update-policy { grant gnudip-key subdomain ddns.domain2.com; };
    };

a very strange thing is that I can update domain 1 without problem, either by issuing the nsupdate command or from ddns client on another computer, but domain 2 does always fail with message Communication with server failed: unexpected error.

when domain2 updates by ddns client on another computer, the cgi perl script generate the error message in /var/log/messages, I then tried to trace it with /usr/bin/nsupdate -v -L 3 -k /opt/gnudip/etc/Kgnudip-key.+157+#####.private. The output in nsupdate of the 2 domains are as follow, the only difference seems to be the req_response received.

I have turned on I think all the named log according to this stackoverflow question, but I do not see any log output from named when nsupdate tries to sends command to update domain2

[root@webserver ~]# /usr/bin/nsupdate -v -L 3 -k /opt/gnudip/etc/Kgnudip-key.+157+31541.private
09-Sep-2018 01:55:51.102 dns_requestmgr_create
09-Sep-2018 01:55:51.102 dns_requestmgr_create: 0x7f783cd72010
> update add    test1.ddns.domain2.com. 60 A 58.153.241.169
>
09-Sep-2018 01:55:54.039 dns_request_createvia
09-Sep-2018 01:55:54.059 request_render
09-Sep-2018 01:55:54.060 requestmgr_attach: 0x7f783cd72010: eref 1 iref 1
09-Sep-2018 01:55:54.060 mgr_gethash
09-Sep-2018 01:55:54.060 req_send: request 0x7f783cd7a010
09-Sep-2018 01:55:54.060 dns_request_createvia: request 0x7f783cd7a010
09-Sep-2018 01:55:54.060 req_senddone: request 0x7f783cd7a010
09-Sep-2018 01:55:54.258 req_response: request 0x7f783cd7a010: success
09-Sep-2018 01:55:54.258 req_cancel: request 0x7f783cd7a010
09-Sep-2018 01:55:54.258 req_sendevent: request 0x7f783cd7a010
09-Sep-2018 01:55:54.258 dns_request_getresponse: request 0x7f783cd7a010
09-Sep-2018 01:55:54.274 dns_request_createvia
09-Sep-2018 01:55:54.274 request_render
09-Sep-2018 01:55:54.274 requestmgr_attach: 0x7f783cd72010: eref 1 iref 2
09-Sep-2018 01:55:54.274 mgr_gethash
09-Sep-2018 01:55:54.274 dns_request_createvia: request 0x7f783cd7a180
09-Sep-2018 01:55:54.274 dns_request_destroy: request 0x7f783cd7a010
09-Sep-2018 01:55:54.274 req_destroy: request 0x7f783cd7a010
09-Sep-2018 01:55:54.274 requestmgr_detach: 0x7f783cd72010: eref 1 iref 1
09-Sep-2018 01:55:54.446 req_connected: request 0x7f783cd7a180
09-Sep-2018 01:55:54.446 req_send: request 0x7f783cd7a180
09-Sep-2018 01:55:54.446 req_senddone: request 0x7f783cd7a180
09-Sep-2018 01:55:54.706 req_response: request 0x7f783cd7a180: unexpected error
09-Sep-2018 01:55:54.706 req_cancel: request 0x7f783cd7a180
09-Sep-2018 01:55:54.706 req_sendevent: request 0x7f783cd7a180
; Communication with server failed: unexpected error
09-Sep-2018 01:55:54.706 dns_request_destroy: request 0x7f783cd7a180
09-Sep-2018 01:55:54.706 req_destroy: request 0x7f783cd7a180
09-Sep-2018 01:55:54.706 requestmgr_detach: 0x7f783cd72010: eref 1 iref 0
> update add    test1.ddns.domain1.com. 60 A 44.44.44.44
>
09-Sep-2018 01:56:13.317 dns_request_createvia
09-Sep-2018 01:56:13.317 request_render
09-Sep-2018 01:56:13.317 requestmgr_attach: 0x7f783cd72010: eref 1 iref 1
09-Sep-2018 01:56:13.317 mgr_gethash
09-Sep-2018 01:56:13.317 req_send: request 0x7f783cd7a180
09-Sep-2018 01:56:13.317 dns_request_createvia: request 0x7f783cd7a180
09-Sep-2018 01:56:13.317 req_senddone: request 0x7f783cd7a180
09-Sep-2018 01:56:13.676 req_response: request 0x7f783cd7a180: success
09-Sep-2018 01:56:13.676 req_cancel: request 0x7f783cd7a180
09-Sep-2018 01:56:13.676 req_sendevent: request 0x7f783cd7a180
09-Sep-2018 01:56:13.676 dns_request_getresponse: request 0x7f783cd7a180
09-Sep-2018 01:56:13.953 dns_request_createvia
09-Sep-2018 01:56:13.953 request_render
09-Sep-2018 01:56:13.953 requestmgr_attach: 0x7f783cd72010: eref 1 iref 2
09-Sep-2018 01:56:13.953 mgr_gethash
09-Sep-2018 01:56:13.953 dns_request_createvia: request 0x7f783cd7a010
09-Sep-2018 01:56:13.953 dns_request_destroy: request 0x7f783cd7a180
09-Sep-2018 01:56:13.953 req_destroy: request 0x7f783cd7a180
09-Sep-2018 01:56:13.953 requestmgr_detach: 0x7f783cd72010: eref 1 iref 1
09-Sep-2018 01:56:13.953 req_connected: request 0x7f783cd7a010
09-Sep-2018 01:56:13.953 req_send: request 0x7f783cd7a010
09-Sep-2018 01:56:13.953 req_senddone: request 0x7f783cd7a010
09-Sep-2018 01:56:13.956 req_response: request 0x7f783cd7a010: success
09-Sep-2018 01:56:13.956 req_cancel: request 0x7f783cd7a010
09-Sep-2018 01:56:13.956 req_sendevent: request 0x7f783cd7a010
09-Sep-2018 01:56:13.956 dns_request_getresponse: request 0x7f783cd7a010
09-Sep-2018 01:56:13.956 dns_request_destroy: request 0x7f783cd7a010
09-Sep-2018 01:56:13.956 req_destroy: request 0x7f783cd7a010
09-Sep-2018 01:56:13.956 requestmgr_detach: 0x7f783cd72010: eref 1 iref 0

one more thing I have noticed is that named does not seem to create the jnl file for domain2

[root@webserver ~]# ll /etc/named/db*
-rw-r--r-- 1 named named  470 Sep  9 02:08 /etc/named/db.ddns.domain1.com
-rw-r--r-- 1 named named 2023 Sep  9 01:56 /etc/named/db.ddns.domain1.com.jnl
-rw-r--r-- 1 named named  409 Sep  8 14:30 /etc/named/db.ddns.domain2.com

UPDATE:

after doing some tcpdump, it appears to me my BIND is actually checking for the authorative server of ddns.domain2.com? can someone confirm me my guess from the tcpdump log below?

10:03:32.039184 IP (tos 0x0, ttl 64, id 12703, offset 0, flags [none], proto UDP (17), length 69)
    webserver.domain2.com.novalocal.unisql-java > google-public-dns-a.google.com.domain: [bad udp cksum 0xda46 -> 0x559a!] 63289+ SOA? t                              est.ddns.domain2.com. (41)
        0x0000:  4500 0045 319f 0000 4011 6f05 92c4 3730  E..E1...@.o...70
        0x0010:  0808 0808 07bb 0035 0031 da46 f739 0100  .......5.1.F.9..
        0x0020:  0001 0000 0000 0000 0474 6573 7404 6464  .........test.dd
        0x0030:  6e73 096a 696d 6d79 6368 6175 0363 6f6d  ns.domain2.com
        0x0040:  0000 0600 01                             .....
10:03:32.040422 IP (tos 0x0, ttl 64, id 12704, offset 0, flags [DF], proto UDP (17), length 66)
    webserver.domain2.com.novalocal.43698 > google-public-dns-a.google.com.domain: [bad udp cksum 0xda43 -> 0x9515!] 52323+ PTR? 8.8.8.8                              .in-addr.arpa. (38)
        0x0000:  4500 0042 31a0 4000 4011 2f07 92c4 3730  E..B1.@.@./...70
        0x0010:  0808 0808 aab2 0035 002e da43 cc63 0100  .......5...C.c..
        0x0020:  0001 0000 0000 0000 0138 0138 0138 0138  .........8.8.8.8
        0x0030:  0769 6e2d 6164 6472 0461 7270 6100 000c  .in-addr.arpa...
        0x0040:  0001                                     ..
10:03:32.056769 IP (tos 0x0, ttl 64, id 12710, offset 0, flags [DF], proto UDP (17), length 72)
    webserver.domain2.com.novalocal.35893 > google-public-dns-a.google.com.domain: [bad udp cksum 0xda49 -> 0x318c!] 28676+ PTR? 48.55.1                              96.146.in-addr.arpa. (44)
        0x0000:  4500 0048 31a6 4000 4011 2efb 92c4 3730  E..H1.@.@.....70
        0x0010:  0808 0808 8c35 0035 0034 da49 7004 0100  .....5.5.4.Ip...
        0x0020:  0001 0000 0000 0000 0234 3802 3535 0331  .........48.55.1
        0x0030:  3936 0331 3436 0769 6e2d 6164 6472 0461  96.146.in-addr.a
        0x0040:  7270 6100 000c 0001                      rpa.....
10:03:32.369258 IP (tos 0x0, ttl 64, id 12722, offset 0, flags [DF], proto UDP (17), length 68)
    webserver.domain2.com.novalocal.44932 > google-public-dns-a.google.com.domain: [bad udp cksum 0xda45 -> 0x0ae6!] 14868+ A? dns1.name                              -services.com. (40)
        0x0000:  4500 0044 31b2 4000 4011 2ef3 92c4 3730  E..D1.@.@.....70
        0x0010:  0808 0808 af84 0035 0030 da45 3a14 0100  .......5.0.E:...
        0x0020:  0001 0000 0000 0000 0464 6e73 310d 6e61  .........dns1.na
        0x0030:  6d65 2d73 6572 7669 6365 7303 636f 6d00  me-services.com.
        0x0040:  0001 0001                                ....
10:03:32.369308 IP (tos 0x0, ttl 64, id 12723, offset 0, flags [DF], proto UDP (17), length 68)
    webserver.domain2.com.novalocal.44932 > google-public-dns-a.google.com.domain: [bad udp cksum 0xda45 -> 0x2272!] 8813+ AAAA? dns1.na                              me-services.com. (40)
        0x0000:  4500 0044 31b3 4000 4011 2ef2 92c4 3730  E..D1.@.@.....70
        0x0010:  0808 0808 af84 0035 0030 da45 226d 0100  .......5.0.E"m..
        0x0020:  0001 0000 0000 0000 0464 6e73 310d 6e61  .........dns1.na
        0x0030:  6d65 2d73 6572 7669 6365 7303 636f 6d00  me-services.com.
        0x0040:  001c 0001                                ....
10:03:32.384349 IP (tos 0x0, ttl 64, id 54949, offset 0, flags [DF], proto TCP (6), length 60)
    webserver.domain2.com.novalocal.46589 > 98.124.243.1.domain: Flags [S], cksum 0x1fa1 (incorrect -> 0x132e), seq 49498370, win 29200,                               options [mss 1460,sackOK,TS val 25206695 ecr 0,nop,wscale 7], length 0
        0x0000:  4500 003c d6a5 4000 4006 44a4 92c4 3730  E..<..@.@.D...70
        0x0010:  627c f301 b5fd 0035 02f3 4902 0000 0000  b|.....5..I.....
        0x0020:  a002 7210 1fa1 0000 0204 05b4 0402 080a  ..r.............
        0x0030:  0180 9fa7 0000 0000 0103 0307            ............
10:03:32.384808 IP (tos 0x0, ttl 64, id 12736, offset 0, flags [DF], proto UDP (17), length 71)
    webserver.domain2.com.novalocal.34753 > google-public-dns-a.google.com.domain: [bad udp cksum 0xda48 -> 0xa424!] 1056+ PTR? 1.243.12                              4.98.in-addr.arpa. (43)
        0x0000:  4500 0047 31c0 4000 4011 2ee2 92c4 3730  E..G1.@.@.....70
        0x0010:  0808 0808 87c1 0035 0033 da48 0420 0100  .......5.3.H....
        0x0020:  0001 0000 0000 0000 0131 0332 3433 0331  .........1.243.1
        0x0030:  3234 0239 3807 696e 2d61 6464 7204 6172  24.98.in-addr.ar
        0x0040:  7061 0000 0c00 01                        pa.....
10:03:32.555711 IP (tos 0x0, ttl 64, id 54950, offset 0, flags [DF], proto TCP (6), length 52)
    webserver.domain2.com.novalocal.46589 > 98.124.243.1.domain: Flags [.], cksum 0x1f99 (incorrect -> 0xf281), seq 49498371, ack 273009                              8808, win 229, options [nop,nop,TS val 25206866 ecr 3837409275], length 0
        0x0000:  4500 0034 d6a6 4000 4006 44ab 92c4 3730  E..4..@.@.D...70
        0x0010:  627c f301 b5fd 0035 02f3 4903 a2ba 0078  b|.....5..I....x
        0x0020:  8010 00e5 1f99 0000 0101 080a 0180 a052  ...............R
        0x0030:  e4ba 37fb                                ..7.
10:03:32.556097 IP (tos 0x0, ttl 64, id 54951, offset 0, flags [DF], proto TCP (6), length 191)
    webserver.domain2.com.novalocal.46589 > 98.124.243.1.domain: Flags [P.], cksum 0x2024 (incorrect -> 0xb1c4), seq 0:139, ack 1, win 2                              29, options [nop,nop,TS val 25206867 ecr 3837409275], length 1394771 update [1n] [1au] SOA? domain2.com. ns: test.ddns.domain2.com. [1                              m] A 45.45.45.45 ar: gnudip-key. ANY [0s] TSIG hmac-md5.sig-alg.reg.int. fudge=300 maclen=16 origid=4771 error=0 otherlen=0 (137)
        0x0000:  4500 00bf d6a7 4000 4006 441f 92c4 3730  E.....@.@.D...70
        0x0010:  627c f301 b5fd 0035 02f3 4903 a2ba 0078  b|.....5..I....x
        0x0020:  8018 00e5 2024 0000 0101 080a 0180 a053  .....$.........S
        0x0030:  e4ba 37fb 0089 12a3 2800 0001 0000 0001  ..7.....(.......
        0x0040:  0001 096a 696d 6d79 6368 6175 0363 6f6d  ...domain2.com
        0x0050:  0000 0600 0104 7465 7374 0464 646e 73c0  ......test.ddns.
        0x0060:  0c00 0100 0100 0000 3c00 042d 2d2d 2d0a  ........<..----.
        0x0070:  676e 7564 6970 2d6b 6579 0000 fa00 ff00  gnudip-key......
        0x0080:  0000 0000 3a08 686d 6163 2d6d 6435 0773  ....:.hmac-md5.s
        0x0090:  6967 2d61 6c67 0372 6567 0369 6e74 0000  ig-alg.reg.int..
        0x00a0:  005b 94ef f401 2c00 1015 0e32 6731 1299  .[....,....2g1..
        0x00b0:  9df4 da99 68a7 7f7e db12 a300 0000 00    ....h..~.......

Note that in newer Linux, the `/etc/bind` folder is often protected by apparmor. A better location for dynamically modifiable files is `/var/lib/bind/...` which is expected to be updated as required. — Alexis Wilke, Feb 20 '22 at 23:38

nsupdate communicate with server failed

0 Answers0