Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dyndns: asym auth for nsupdate #5274

Closed
joakim-tjernlund opened this issue Aug 14, 2020 · 10 comments
Closed

dyndns: asym auth for nsupdate #5274

joakim-tjernlund opened this issue Aug 14, 2020 · 10 comments
Labels
Closed: Fixed Issue was closed as fixed.

Comments

@joakim-tjernlund
Copy link
Contributor

We have an asymmetrical auth scheme for DNS updates and wonder if sssd can add that ?
Something like
dyndns_auth = xxx
dyndns_auth_ptr = yyy

@sumit-bose
Copy link
Contributor

Hi,

do I understand correctly that you e.g. want to set

dyndns_auth = GSS-TSIG

for A and AAAA records and

dyndns_auth_ptr = none

for PTR records?

Currently SSSD only supports 'GSS-TSIG' and 'none' as values here. So do I understand correctly that your DNS server requires authentication to update on type but does not allow authentication to update the other type?

bye,
Sumit

@joakim-tjernlund
Copy link
Contributor Author

Yes, that is so.
I started hacking at https://github.com/joakim-tjernlund/sssd/tree/dyndns_auth_ptr
but I have not tested it at all, yet

@joakim-tjernlund
Copy link
Contributor Author

My dyndns_auth_ptr branch above seems to work OK.

One thing that I find odd is that I cannot modify the RDNS record with nsupdate:

nsupdate -gv
> update delete 2.71.210.10.in-addr.arpa. in PTR
> send
; TSIG error with server: tsig verify failure
update failed: REFUSED

sssd managed to add that record using gss-tsig though.
Am I missing something?

@sumit-bose
Copy link
Contributor

My dyndns_auth_ptr branch above seems to work OK.

One thing that I find odd is that I cannot modify the RDNS record with nsupdate:

nsupdate -gv
> update delete 2.71.210.10.in-addr.arpa. in PTR
> send
; TSIG error with server: tsig verify failure
update failed: REFUSED

sssd managed to add that record using gss-tsig though.
Am I missing something?

Hi,

it looks like SSSD will use delete only together with an add, maybe this helps here as well?

bye,
Sumit

@joakim-tjernlund
Copy link
Contributor Author

My dyndns_auth_ptr branch above seems to work OK.
One thing that I find odd is that I cannot modify the RDNS record with nsupdate:

nsupdate -gv
> update delete 2.71.210.10.in-addr.arpa. in PTR
> send
; TSIG error with server: tsig verify failure
update failed: REFUSED

sssd managed to add that record using gss-tsig though.
Am I missing something?

Hi,

it looks like SSSD will use delete only together with an add, maybe this helps here as well?

bye,
Sumit

Sortof, if I do the same delete/add it works, but if I change TTL at all, it fails.

@joakim-tjernlund
Copy link
Contributor Author

somehow sssd uses a different TSIG signature ? How is that possible ?

@joakim-tjernlund
Copy link
Contributor Author

I can add/del a new RDNS entry with nsupdate, but I cannot change one that sssd has created

@joakim-tjernlund
Copy link
Contributor Author

Does sssd ever remove DNS/RDNS entries? Like when shutting down?

joakim-tjernlund added a commit to joakim-tjernlund/sssd that referenced this issue Sep 29, 2020
Allows to specify auth method for DNS PTR updates.
Default to same as dyndns_auth.

Resolves: SSSD#5274
@pbrezina
Copy link
Member

Pushed PR: #5283

  • master
    • 0b06908 - Add dyndns_auth_ptr support

@pbrezina pbrezina added the Closed: Fixed Issue was closed as fixed. label Sep 29, 2020
@alexey-tikhonov
Copy link
Member

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Closed: Fixed Issue was closed as fixed.
Projects
None yet
Development

No branches or pull requests

4 participants