我正在尝试使用 terraform 更新使用 bind 托管的域,但在 中出现 tsig 验证失败/var/log/named/security.log,但当我使用 时它可以工作nsupdate。
我正在使用生成密钥tsig-keygen -a HMAC-MD5 ns01.ops.example.com > /etc/bind/rndc.key,并且我的密钥named.conf包括:
# Allow rndc management
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "ns01.ops.example.com"; };
};
我从中解析出关键数据rndc.key,并创建一个dnskey.tf文件
# Configure the DNS Provider
provider "dns" {
update {
server = "127.0.0.1"
key_algorithm = "hmac-md5"
key_name = "ns01.ops.clh-int.com."
key_secret = "bI40GY5fMZxvz7/NlGwA4w=="
}
}
resource "dns_a_record_set" "cthulhu" {
zone = "ops.example.com."
name = "cthulhu"
addresses = [ "192.168.1.1" ]
ttl = 180
}
匹配的内容/etc/bind/rndc.key
key "ns01.ops.example.com" {
algorithm hmac-sha256;
secret "bI40GY5fMZxvz7/NlGwA4w==";
};
当我运行时terraform apply,出现以下错误消息:
Error: Error applying plan:
1 error(s) occurred:
* dns_a_record_set.cthulhu: 1 error(s) occurred:
* dns_a_record_set.cthulhu: Error updating DNS record: dns: bad authentication
2019/04/25 23:59:29 [DEBUG] plugin: waiting for all plugin processes to complete...
2019-04-25T23:59:29.319Z [DEBUG] plugin.terraform-provider-dns_v2.1.0_x4: 2019/04/25 23:59:29 [ERR] plugin: plugin server: accept unix /tmp/plugin235354968: use of closed network connection
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
并且看到的错误/var/log/named/security.log是25-Apr-2019 23:59:29.308 security: error: client @0x55fa8d04d560 127.0.0.1#37299: request has invalid signature: TSIG ns01.ops.example.com: tsig verify failure (BADKEY)
使用nsupdate -k /etc/bind/rndc.key -v commandfile作品,其中commmandfile有如下内容:
server $SERVER_ADDRESS
debug yes
zone ops.example.com
update delete blah.example.com
update add blah.example.com 300 A 10.9.8.7
send
不管怎样,我在正在运行的terraform同一个 docker 容器内运行。bind
为了完整起见,以下是经过净化的/etc/bind/named.conf
include "/etc/bind/rndc.key";
# Allow rndc management
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "ns01.ops.clh-int.com"; };
};
acl "clients" {
127.0.0.0/8;
};
########################
## options
########################
options {
directory "/var/bind";
dump-file "/var/bind/cache_dump.db";
statistics-file "/var/bind/bind_statistics.txt";
memstatistics-file "/var/bind/bind_mem_statistics.txt";
version "private";
lame-ttl 180;
max-ncache-ttl 1800; # max time to cache negative NXDOMAIN answers
listen-on port 53 { any; };
listen-on-v6 { none; };
allow-transfer { none; };
pid-file "/var/run/named/named.pid";
recursion yes;
forwarders {
8.8.8.8;
8.8.4.4;
};
};
########################
## zones
########################
zone "ops.example.com" IN {
type master;
file "/etc/bind/ops.example.com.zone";
allow-transfer { 127.0.0.1; };
allow-update {
key "ns01.ops.clh-int.com";
127.0.0.0/8;
};
notify yes;
};
########################
## logging
########################
logging {
channel general {
file "/var/log/named/general.log" versions 5 size 25m;
print-time yes;
print-category yes;
print-severity yes;
};
channel queries {
file "/var/log/named/queries.log" versions 5 size 10m;
print-time yes;
print-category yes;
print-severity yes;
};
channel security {
file "/var/log/named/security.log" versions 5;
print-time yes;
print-category yes;
print-severity yes;
};
category default { general; };
category general { general; };
category config { general; };
category network { general; };
category queries { queries; };
category security { security; };
};
我显然在这里遗漏了一些简单的东西,但不知道它是什么。
答案1
乍一看,它们是不同的签名类型。绑定密钥列表hmac-sha256、地形列表hmac-md5。错误套件与该错误配置有关。