我正在尝试使用 terraform 更新通过绑定托管的域,并在 中获取 tsig 验证失败/var/log/named/security.log,但是当我使用nsupdate.
我正在使用 生成一个密钥tsig-keygen -a HMAC-MD5 ns01.ops.example.com > /etc/bind/rndc.key,我的named.conf包括:
# Allow rndc management
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "ns01.ops.example.com"; };
};
我解析出关键数据rndc.key,并创建一个dnskey.tf文件
# Configure the DNS Provider
provider "dns" {
update {
server = "127.0.0.1"
key_algorithm = "hmac-md5"
key_name = "ns01.ops.clh-int.com."
key_secret = "bI40GY5fMZxvz7/NlGwA4w=="
}
}
resource "dns_a_record_set" "cthulhu" {
zone = "ops.example.com."
name = "cthulhu"
addresses = [ "192.168.1.1" ]
ttl = 180
}
与内容相匹配的/etc/bind/rndc.key
key "ns01.ops.example.com" {
algorithm hmac-sha256;
secret "bI40GY5fMZxvz7/NlGwA4w==";
};
当我运行时terraform apply,我收到以下错误消息:
Error: Error applying plan:
1 error(s) occurred:
* dns_a_record_set.cthulhu: 1 error(s) occurred:
* dns_a_record_set.cthulhu: Error updating DNS record: dns: bad authentication
2019/04/25 23:59:29 [DEBUG] plugin: waiting for all plugin processes to complete...
2019-04-25T23:59:29.319Z [DEBUG] plugin.terraform-provider-dns_v2.1.0_x4: 2019/04/25 23:59:29 [ERR] plugin: plugin server: accept unix /tmp/plugin235354968: use of closed network connection
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
中看到的错误/var/log/named/security.log是25-Apr-2019 23:59:29.308 security: error: client @0x55fa8d04d560 127.0.0.1#37299: request has invalid signature: TSIG ns01.ops.example.com: tsig verify failure (BADKEY)
使用nsupdate -k /etc/bind/rndc.key -v commandfile作品,其中commmandfile的内容如下:
server $SERVER_ADDRESS
debug yes
zone ops.example.com
update delete blah.example.com
update add blah.example.com 300 A 10.9.8.7
send
对于它的价值,我正在运行terraform的同一个 docker 容器中bind运行。
为了完整起见,这里是经过消毒的副本/etc/bind/named.conf
include "/etc/bind/rndc.key";
# Allow rndc management
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "ns01.ops.clh-int.com"; };
};
acl "clients" {
127.0.0.0/8;
};
########################
## options
########################
options {
directory "/var/bind";
dump-file "/var/bind/cache_dump.db";
statistics-file "/var/bind/bind_statistics.txt";
memstatistics-file "/var/bind/bind_mem_statistics.txt";
version "private";
lame-ttl 180;
max-ncache-ttl 1800; # max time to cache negative NXDOMAIN answers
listen-on port 53 { any; };
listen-on-v6 { none; };
allow-transfer { none; };
pid-file "/var/run/named/named.pid";
recursion yes;
forwarders {
8.8.8.8;
8.8.4.4;
};
};
########################
## zones
########################
zone "ops.example.com" IN {
type master;
file "/etc/bind/ops.example.com.zone";
allow-transfer { 127.0.0.1; };
allow-update {
key "ns01.ops.clh-int.com";
127.0.0.0/8;
};
notify yes;
};
########################
## logging
########################
logging {
channel general {
file "/var/log/named/general.log" versions 5 size 25m;
print-time yes;
print-category yes;
print-severity yes;
};
channel queries {
file "/var/log/named/queries.log" versions 5 size 10m;
print-time yes;
print-category yes;
print-severity yes;
};
channel security {
file "/var/log/named/security.log" versions 5;
print-time yes;
print-category yes;
print-severity yes;
};
category default { general; };
category general { general; };
category config { general; };
category network { general; };
category queries { queries; };
category security { security; };
};
我显然在这里遗漏了一些简单的东西,但看不到它是什么。