• Cannot get nsupdate to work (for letsencrypt acme.sh client)

    From Brett Delmage@Brett@BrettDelmage.ca to bind-users on Tue Aug 4 18:44:56 2020
    From Newsgroup: comp.protocols.dns.bind

    I'm having a problem getting nsupdate to work, as shown below.

    (Despite reading the man pages I'm not 100% clear about the exact scope of
    the grant options and it may not be right. Examples would be helpful.)

    I generated the key:

    ddns-confgen -k acmesh-ottawatch. -z ottawatch.ca
    # To activate this key, place the following in named.conf, and
    # in a separate keyfile on the system or systems from which nsupdate
    # will be run:
    key "acmesh-ottawatch." {
    algorithm hmac-sha256;
    secret <deleted>;
    };

    - this is included in my named.conf
    My config file zone entry has the statements

    check-names warn;
    update-policy { grant ottawatch-acmesh. name _acme-challenge.ottawatch.ca. txt; };
    to permit the update and limit the scope.

    As I understand, I need check-names (warn | ignore) because
    _acme-challenge has an underscore. (How the heck did LE come up with an incompatible name?)


    Here's my nsupdate script:
    # cat test-acme

    server cacloud.ottawatch.ca
    zone ottawatch.ca
    debug
    update add _acme-challenge.ottawatch.ca. 999 TXT "test 1"
    send


    # nsupdate -k acmesh-ottawatch.ca test-acme

    Sending update to 2607:7b00:7200:1::281a:5de2#53
    Outgoing update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 42504
    ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
    ;; ZONE SECTION:
    ;ottawatch.ca. IN SOA

    ;; UPDATE SECTION:
    _acme-challenge.ottawatch.ca. 999 IN TXT "test 1"

    ;; TSIG PSEUDOSECTION:
    acmesh-ottawatch. 0 ANY TSIG hmac-sha256. 1596580550
    300 32 966kN1nqxXRP+smNYmqpGKUIepEV0gkuOVz42ywCY0g= 42504 NOERROR 0


    Reply from update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 42504
    ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
    ;; ZONE SECTION:
    ;ottawatch.ca. IN SOA

    ;; TSIG PSEUDOSECTION:
    acmesh-ottawatch. 0 ANY TSIG hmac-sha256. 1596580550
    300 32 eqUVlwgfwGnW0B7UX+WaB4mgqMgh9Aia/YauLRLa054= 42504 NOERROR 0

    Sending update to 2607:7b00:7200:1::281a:5de2#53
    Outgoing update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 32884
    ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
    ;; ZONE SECTION:
    ;ottawatch.ca. IN SOA

    ;; TSIG PSEUDOSECTION:
    acmesh-ottawatch. 0 ANY TSIG hmac-sha256. 1596580550
    300 32 M+Lr8IckyEVknrX+jHoDQYFrlGxzyQ/PYHX9WwpNBZw= 32884 NOERROR 0



    # dig _acme-challenge.ottawatch.ca. txt
    - the TXT RR has not been added

    ; <<>> DiG 9.16.5-Ubuntu <<>> _acme-challenge.ottawatch.ca. txt
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45640
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: f735fda5ecb94793010000005f29e1bed617055d59cb5d75 (good)
    ;; QUESTION SECTION:
    ;_acme-challenge.ottawatch.ca. IN TXT

    ;; AUTHORITY SECTION:
    ottawatch.ca. 900 IN SOA cacloud.ottawatch.ca. hostmaster.ottawatch.ca. 2020072912 900 180 2419200 900

    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Tue Aug 04 18:31:26 EDT 2020
    ;; MSG SIZE rcvd: 140


    What am I missing ort doing wrong, please?
    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From Mark Andrews@marka@isc.org to Brett Delmage on Wed Aug 5 10:33:26 2020
    From Newsgroup: comp.protocols.dns.bind

    Thanks for full details.
    Your key name usage is not consistent. acmesh-ottawatch != ottawatch-acmesh Why are you adding `check-names warn;`? check-names does NOT apply to TXT records.
    Mark
    On 5 Aug 2020, at 08:44, Brett Delmage <Brett@BrettDelmage.ca> wrote:

    I'm having a problem getting nsupdate to work, as shown below.

    (Despite reading the man pages I'm not 100% clear about the exact scope of the grant options and it may not be right. Examples would be helpful.)

    I generated the key:

    ddns-confgen -k acmesh-ottawatch. -z ottawatch.ca
    # To activate this key, place the following in named.conf, and
    # in a separate keyfile on the system or systems from which nsupdate
    # will be run:
    key "acmesh-ottawatch." {
    algorithm hmac-sha256;
    secret <deleted>;
    };

    - this is included in my named.conf
    My config file zone entry has the statements

    check-names warn;
    update-policy { grant ottawatch-acmesh. name _acme-challenge.ottawatch.ca. txt; };
    to permit the update and limit the scope.

    As I understand, I need check-names (warn | ignore) because _acme-challenge has an underscore. (How the heck did LE come up with an incompatible name?)


    Here's my nsupdate script:
    # cat test-acme

    server cacloud.ottawatch.ca
    zone ottawatch.ca
    debug
    update add _acme-challenge.ottawatch.ca. 999 TXT "test 1"
    send


    # nsupdate -k acmesh-ottawatch.ca test-acme

    Sending update to 2607:7b00:7200:1::281a:5de2#53
    Outgoing update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 42504
    ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
    ;; ZONE SECTION:
    ;ottawatch.ca. IN SOA

    ;; UPDATE SECTION:
    _acme-challenge.ottawatch.ca. 999 IN TXT "test 1"

    ;; TSIG PSEUDOSECTION:
    acmesh-ottawatch. 0 ANY TSIG hmac-sha256. 1596580550 300 32 966kN1nqxXRP+smNYmqpGKUIepEV0gkuOVz42ywCY0g= 42504 NOERROR 0


    Reply from update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 42504
    ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
    ;; ZONE SECTION:
    ;ottawatch.ca. IN SOA

    ;; TSIG PSEUDOSECTION:
    acmesh-ottawatch. 0 ANY TSIG hmac-sha256. 1596580550 300 32 eqUVlwgfwGnW0B7UX+WaB4mgqMgh9Aia/YauLRLa054= 42504 NOERROR 0

    Sending update to 2607:7b00:7200:1::281a:5de2#53
    Outgoing update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 32884
    ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
    ;; ZONE SECTION:
    ;ottawatch.ca. IN SOA

    ;; TSIG PSEUDOSECTION:
    acmesh-ottawatch. 0 ANY TSIG hmac-sha256. 1596580550 300 32 M+Lr8IckyEVknrX+jHoDQYFrlGxzyQ/PYHX9WwpNBZw= 32884 NOERROR 0



    # dig _acme-challenge.ottawatch.ca. txt
    - the TXT RR has not been added

    ; <<>> DiG 9.16.5-Ubuntu <<>> _acme-challenge.ottawatch.ca. txt
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45640
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: f735fda5ecb94793010000005f29e1bed617055d59cb5d75 (good)
    ;; QUESTION SECTION:
    ;_acme-challenge.ottawatch.ca. IN TXT

    ;; AUTHORITY SECTION:
    ottawatch.ca. 900 IN SOA cacloud.ottawatch.ca. hostmaster.ottawatch.ca. 2020072912 900 180 2419200 900

    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Tue Aug 04 18:31:26 EDT 2020
    ;; MSG SIZE rcvd: 140


    What am I missing ort doing wrong, please? _______________________________________________
    Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

    ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


    bind-users mailing list
    bind-users@lists.isc.org
    https://lists.isc.org/mailman/listinfo/bind-users
    --
    Mark Andrews, ISC
    1 Seymour St., Dundas Valley, NSW 2117, Australia
    PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From Brett Delmage@Brett@BrettDelmage.ca to Mark Andrews on Tue Aug 4 23:12:54 2020
    From Newsgroup: comp.protocols.dns.bind

    --8323328-1670250464-1596597174=:11138
    Content-Type: text/plain; format=flowed; charset=ISO-8859-2 Content-Transfer-Encoding: 8BIT

    On Wed, 5 Aug 2020, Mark Andrews wrote:

    Your key name usage is not consistent. acmesh-ottawatch != ottawatch-acmesh

    Thank you! Fixed and working.

    Why are you adding `check-names warn;`? check-names does NOT apply to TXT records.

    Previously I was getting the error "bad owner name (check-names)".

    So a search for that error led me to this page https://linux.m2osw.com/setting-bind-get-letsencrypt-wildcards-work-your-system-using-rfc-2136

    which states

    "The check-names option is required in case the name letsencrypt adds _acme-challenge to your list of known sub-domains. The underscore
    character is not liked by BIND9. This is because it is not part of the
    domain name specification. It is not allowed at all. By default BIND will generate an error and log it and skip over that entry entirely (i.e. it
    will not serve that zone at all, albeit all the other zones will work just fine.)

    You can also set this parameter to ignore. In that case, no warning is
    emitted in your logs.

    Here is the error you get ("bad owner name") when a name uses characters
    that are not supposed to be used in a domain name:

    09-Feb-2019 03:02:31.988 general: error:
    /var/lib/bind/restarchitect.com.zone:31:
    _acme-challenge.restarchitect.com:
    bad owner name (check-names)

    The check-names option is currently the only way to fix this problem (i.e.
    you can't use an escape for that one specific letter.)"

    -----------------------------------

    Is this incorrect? My same error went away when I added it. I certainly
    was not familar with the option earlier.

    I am running BIND 9.16.5 from Ondøej's PPA for Ubuntu 18.04

    That page's "Create and Setup an HMAC Key" uses dnssec-keygen to create
    the dynamic key, which I understand has been deprecated in newer versions.
    Is that correct? (as I mentioned, I used ddns-confgen.)


    Thanks for full details.

    Thank you for looking at them!

    Often, preparing a complete help request helps me see something I am overlooking that is incorrect, so then I don't need to send a help plea
    and look like an idiot. Just not in this report, although an earlier
    version led me to seeing another problem, which was good.

    Brett




    Mark

    On 5 Aug 2020, at 08:44, Brett Delmage <Brett@BrettDelmage.ca> wrote:

    I'm having a problem getting nsupdate to work, as shown below.

    (Despite reading the man pages I'm not 100% clear about the exact scope of the grant options and it may not be right. Examples would be helpful.)

    I generated the key:

    ddns-confgen -k acmesh-ottawatch. -z ottawatch.ca
    # To activate this key, place the following in named.conf, and
    # in a separate keyfile on the system or systems from which nsupdate
    # will be run:
    key "acmesh-ottawatch." {
    algorithm hmac-sha256;
    secret <deleted>;
    };

    - this is included in my named.conf
    My config file zone entry has the statements

    check-names warn;
    update-policy { grant ottawatch-acmesh. name _acme-challenge.ottawatch.ca. txt; };
    to permit the update and limit the scope.

    As I understand, I need check-names (warn | ignore) because _acme-challenge has an underscore. (How the heck did LE come up with an incompatible name?)


    Here's my nsupdate script:
    # cat test-acme

    server cacloud.ottawatch.ca
    zone ottawatch.ca
    debug
    update add _acme-challenge.ottawatch.ca. 999 TXT "test 1"
    send


    # nsupdate -k acmesh-ottawatch.ca test-acme

    Sending update to 2607:7b00:7200:1::281a:5de2#53
    Outgoing update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 42504
    ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
    ;; ZONE SECTION:
    ;ottawatch.ca. IN SOA

    ;; UPDATE SECTION:
    _acme-challenge.ottawatch.ca. 999 IN TXT "test 1"

    ;; TSIG PSEUDOSECTION:
    acmesh-ottawatch. 0 ANY TSIG hmac-sha256. 1596580550 300 32 966kN1nqxXRP+smNYmqpGKUIepEV0gkuOVz42ywCY0g= 42504 NOERROR 0


    Reply from update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 42504
    ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
    ;; ZONE SECTION:
    ;ottawatch.ca. IN SOA

    ;; TSIG PSEUDOSECTION:
    acmesh-ottawatch. 0 ANY TSIG hmac-sha256. 1596580550 300 32 eqUVlwgfwGnW0B7UX+WaB4mgqMgh9Aia/YauLRLa054= 42504 NOERROR 0

    Sending update to 2607:7b00:7200:1::281a:5de2#53
    Outgoing update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 32884
    ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
    ;; ZONE SECTION:
    ;ottawatch.ca. IN SOA

    ;; TSIG PSEUDOSECTION:
    acmesh-ottawatch. 0 ANY TSIG hmac-sha256. 1596580550 300 32 M+Lr8IckyEVknrX+jHoDQYFrlGxzyQ/PYHX9WwpNBZw= 32884 NOERROR 0



    # dig _acme-challenge.ottawatch.ca. txt
    - the TXT RR has not been added

    ; <<>> DiG 9.16.5-Ubuntu <<>> _acme-challenge.ottawatch.ca. txt
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45640
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: f735fda5ecb94793010000005f29e1bed617055d59cb5d75 (good)
    ;; QUESTION SECTION:
    ;_acme-challenge.ottawatch.ca. IN TXT

    ;; AUTHORITY SECTION:
    ottawatch.ca. 900 IN SOA cacloud.ottawatch.ca. hostmaster.ottawatch.ca. 2020072912 900 180 2419200 900

    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Tue Aug 04 18:31:26 EDT 2020
    ;; MSG SIZE rcvd: 140


    What am I missing ort doing wrong, please?
    _______________________________________________
    Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

    ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


    bind-users mailing list
    bind-users@lists.isc.org
    https://lists.isc.org/mailman/listinfo/bind-users


    --8323328-1670250464-1596597174=:11138--
    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From Mark Andrews@marka@isc.org to Brett Delmage on Wed Aug 5 13:48:42 2020
    From Newsgroup: comp.protocols.dns.bind


    On 5 Aug 2020, at 13:12, Brett Delmage <Brett@BrettDelmage.ca> wrote:

    On Wed, 5 Aug 2020, Mark Andrews wrote:

    Your key name usage is not consistent. acmesh-ottawatch != ottawatch-acmesh

    Thank you! Fixed and working.

    Why are you adding `check-names warn;`? check-names does NOT apply to TXT >> records.

    Previously I was getting the error "bad owner name (check-names)".

    So a search for that error led me to this page https://linux.m2osw.com/setting-bind-get-letsencrypt-wildcards-work-your-system-using-rfc-2136

    which states

    "The check-names option is required in case the name letsencrypt adds _acme-challenge to your list of known sub-domains. The underscore character is not liked by BIND9. This is because it is not part of the domain name specification. It is not allowed at all. By default BIND will generate an error and log it and skip over that entry entirely (i.e. it will not serve that zone at all, albeit all the other zones will work just fine.)

    You can also set this parameter to ignore. In that case, no warning is emitted in your logs.

    Here is the error you get ("bad owner name") when a name uses characters that are not supposed to be used in a domain name:

    09-Feb-2019 03:02:31.988 general: error:
    /var/lib/bind/restarchitect.com.zone:31:
    _acme-challenge.restarchitect.com:
    bad owner name (check-names)
    Check-names applies to elements of records that are supposed to be HOSTNAMES or MAIL DOMAINS (both have the same syntax requirements). In some cases it is the owner name and others it is elements of the rdata fields. For PTR it only applies to records that end in in-addr.arpa and ip6.arpa as they are supposed to point to HOSTNAMES. HOSTNAMES and MAIL DOMAINS are restricted to labels composed of letters, digits and hyphens (LDH).
    The full list of records that check-names currently applies to are: A, AAAA, MX, ASFDB, MINFO, NS, PTR, RP, RT, SOA, A6 and SRV.
    If I use the example zone on that page *no* errors are reported.
    % named-checkzone restarchitect.com restarchitect.com
    zone restarchitect.com/IN: loaded serial 1309082308
    OK
    % cat restarchitect.com
    restarchitect.com. 86400 IN SOA ns1.m2osw.com. hostmaster.m2osw.com. 1309082308 10800 180 1209600 300
    restarchitect.com. 86400 IN NS ns1.m2osw.com.
    restarchitect.com. 86400 IN NS ns2.m2osw.com.
    restarchitect.com. 86400 IN A 10.0.0.1 _acme-challenge.restarchitect.com. 86400 IN TXT "test"
    w.restarchitect.com. 86400 IN A 10.0.0.1
    ww.restarchitect.com. 86400 IN A 10.0.0.1
    www.restarchitect.com. 86400 IN A 10.0.0.1
    wwww.restarchitect.com. 86400 IN A 10.0.0.1
    %
    If I modify restarchitect.com to have a A record at _acme-challenge.restarchitect.com then errors will be reported.
    On line 6 of restarchitect.com the owner name _acme-challenge.restarchitect.com is bad.
    % named-checkzone restarchitect.com restarchitect.com
    restarchitect.com:6: _acme-challenge.restarchitect.com: bad owner name (check-names)
    zone restarchitect.com/IN: loaded serial 1309082308
    OK
    % cat restarchitect.com
    restarchitect.com. 86400 IN SOA ns1.m2osw.com. hostmaster.m2osw.com. 1309082308 10800 180 1209600 300
    restarchitect.com. 86400 IN NS ns1.m2osw.com.
    restarchitect.com. 86400 IN NS ns2.m2osw.com.
    restarchitect.com. 86400 IN A 10.0.0.1 _acme-challenge.restarchitect.com. 86400 IN TXT "test" _acme-challenge.restarchitect.com. 86400 IN A 10.0.0.1
    w.restarchitect.com. 86400 IN A 10.0.0.1
    ww.restarchitect.com. 86400 IN A 10.0.0.1
    www.restarchitect.com. 86400 IN A 10.0.0.1
    wwww.restarchitect.com. 86400 IN A 10.0.0.1
    %
    Mark
    The check-names option is currently the only way to fix this problem (i.e. you can't use an escape for that one specific letter.)"

    -----------------------------------

    Is this incorrect? My same error went away when I added it. I certainly was not familar with the option earlier.

    I am running BIND 9.16.5 from Ondřej's PPA for Ubuntu 18.04

    That page's "Create and Setup an HMAC Key" uses dnssec-keygen to create the dynamic key, which I understand has been deprecated in newer versions. Is that correct? (as I mentioned, I used ddns-confgen.)


    Thanks for full details.

    Thank you for looking at them!

    Often, preparing a complete help request helps me see something I am overlooking that is incorrect, so then I don't need to send a help plea and look like an idiot. Just not in this report, although an earlier version led me to seeing another problem, which was good.

    Brett




    Mark

    On 5 Aug 2020, at 08:44, Brett Delmage <Brett@BrettDelmage.ca> wrote:

    I'm having a problem getting nsupdate to work, as shown below.

    (Despite reading the man pages I'm not 100% clear about the exact scope of the grant options and it may not be right. Examples would be helpful.)

    I generated the key:

    ddns-confgen -k acmesh-ottawatch. -z ottawatch.ca
    # To activate this key, place the following in named.conf, and
    # in a separate keyfile on the system or systems from which nsupdate
    # will be run:
    key "acmesh-ottawatch." {
    algorithm hmac-sha256;
    secret <deleted>;
    };

    - this is included in my named.conf
    My config file zone entry has the statements

    check-names warn;
    update-policy { grant ottawatch-acmesh. name _acme-challenge.ottawatch.ca. txt; };
    to permit the update and limit the scope.

    As I understand, I need check-names (warn | ignore) because _acme-challenge has an underscore. (How the heck did LE come up with an incompatible name?)


    Here's my nsupdate script:
    # cat test-acme

    server cacloud.ottawatch.ca
    zone ottawatch.ca
    debug
    update add _acme-challenge.ottawatch.ca. 999 TXT "test 1"
    send


    # nsupdate -k acmesh-ottawatch.ca test-acme

    Sending update to 2607:7b00:7200:1::281a:5de2#53
    Outgoing update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 42504
    ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
    ;; ZONE SECTION:
    ;ottawatch.ca. IN SOA

    ;; UPDATE SECTION:
    _acme-challenge.ottawatch.ca. 999 IN TXT "test 1"

    ;; TSIG PSEUDOSECTION:
    acmesh-ottawatch. 0 ANY TSIG hmac-sha256. 1596580550 300 32 966kN1nqxXRP+smNYmqpGKUIepEV0gkuOVz42ywCY0g= 42504 NOERROR 0


    Reply from update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 42504
    ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
    ;; ZONE SECTION:
    ;ottawatch.ca. IN SOA

    ;; TSIG PSEUDOSECTION:
    acmesh-ottawatch. 0 ANY TSIG hmac-sha256. 1596580550 300 32 eqUVlwgfwGnW0B7UX+WaB4mgqMgh9Aia/YauLRLa054= 42504 NOERROR 0

    Sending update to 2607:7b00:7200:1::281a:5de2#53
    Outgoing update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 32884
    ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
    ;; ZONE SECTION:
    ;ottawatch.ca. IN SOA

    ;; TSIG PSEUDOSECTION:
    acmesh-ottawatch. 0 ANY TSIG hmac-sha256. 1596580550 300 32 M+Lr8IckyEVknrX+jHoDQYFrlGxzyQ/PYHX9WwpNBZw= 32884 NOERROR 0



    # dig _acme-challenge.ottawatch.ca. txt
    - the TXT RR has not been added

    ; <<>> DiG 9.16.5-Ubuntu <<>> _acme-challenge.ottawatch.ca. txt
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45640
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: f735fda5ecb94793010000005f29e1bed617055d59cb5d75 (good)
    ;; QUESTION SECTION:
    ;_acme-challenge.ottawatch.ca. IN TXT

    ;; AUTHORITY SECTION:
    ottawatch.ca. 900 IN SOA cacloud.ottawatch.ca. hostmaster.ottawatch.ca. 2020072912 900 180 2419200 900

    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Tue Aug 04 18:31:26 EDT 2020
    ;; MSG SIZE rcvd: 140


    What am I missing ort doing wrong, please?
    _______________________________________________
    Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

    ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


    bind-users mailing list
    bind-users@lists.isc.org
    https://lists.isc.org/mailman/listinfo/bind-users

    --
    Mark Andrews, ISC
    1 Seymour St., Dundas Valley, NSW 2117, Australia
    PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From Brett Delmage@Brett@BrettDelmage.ca to Mark Andrews on Wed Aug 5 12:21:01 2020
    From Newsgroup: comp.protocols.dns.bind

    On Wed, 5 Aug 2020, Mark Andrews wrote:

    If I use the example zone on that page *no* errors are reported.
    If I modify restarchitect.com to have a A record at _acme-challenge.restarchitect.com then errors will be reported.

    I certainly did get an error originally. I would not have found this
    page if I didn't have the error message to search for.

    After reviewing my command history I have concluded that it is possible
    that I originally tested with an A, not TXT record, thusa causing the
    error. Then I switched it, unaware of the difference to check-names.

    Thanks for the in-depth 'proof'. I have removed check-names now and it
    works as it should.

    Brett


    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From Mark Andrews@marka@isc.org to Brett Delmage on Thu Aug 6 08:17:11 2020
    From Newsgroup: comp.protocols.dns.bind

    Unfortunately comments section on that page doesn’t work. You press preview and you get a error response back.
    On 6 Aug 2020, at 02:21, Brett Delmage <Brett@BrettDelmage.ca> wrote:

    On Wed, 5 Aug 2020, Mark Andrews wrote:

    If I use the example zone on that page *no* errors are reported.
    If I modify restarchitect.com to have a A record at _acme-challenge.restarchitect.com then errors will be reported.

    I certainly did get an error originally. I would not have found this page if I didn't have the error message to search for.

    After reviewing my command history I have concluded that it is possible that I originally tested with an A, not TXT record, thusa causing the error. Then I switched it, unaware of the difference to check-names.

    Thanks for the in-depth 'proof'. I have removed check-names now and it
    works as it should.

    Brett


    --
    Mark Andrews, ISC
    1 Seymour St., Dundas Valley, NSW 2117, Australia
    PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
    --- Synchronet 3.18a-Linux NewsLink 1.113