update rejected: post update name server sanity check failed
Summary
When creating subed subdomain txt records for certbot changellenges, nsupdate utility fails to update record.
BIND version used
BIND 9.11.20-RedHat-9.11.20-5.el8 (Extended Support Version) <id:f3d1d66>
running on Linux x86_64 4.18.0-240.1.1.el8_3.x86_64 #1 SMP Thu Nov 19 17:20:08 UTC 2020
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-python=/usr/libexec/platform-python' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-libidn2' '--enable-openssl-hash' '--with-geoip2' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-lmdb=no' '--with-cmocka' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS= -DDIG_SIGCHASE' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
compiled by GCC 8.3.1 20191121 (Red Hat 8.3.1-5)
compiled with OpenSSL version: OpenSSL 1.1.1g FIPS 21 Apr 2020
linked to OpenSSL version: OpenSSL 1.1.1g FIPS 21 Apr 2020
compiled with libxml2 version: 2.9.7
linked to libxml2 version: 20907
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.2.0
threads support is enabled
default paths:
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
DNSSEC root key: /etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
geoip-directory: /usr/share/GeoIP
Steps to reproduce
nsupdate -y hmac-sha512:**letsencrypt.***:**privatekey**
> server 212.x.x.63
> update add _acme-challenge.test.ddns.flex-sys.us.ip6tunnel.tk 3600 txt "8YVbEhYivK2XhImgfDEvNOEv9gs5MKpfOLYUjwgyoXM"
> send
update failed: REFUSED
What is the current bug behavior?
Throws error in logs and says REFUSED
Dec 24 21:55:35 ns2 named[2865777]: client @0x7f44980e2d90 154.x.x.122#52119/key letsencrypt: view external: signer "letsencrypt" approved
Dec 24 21:55:35 ns2 named[2865777]: client @0x7f44980e2d90 154.x.x.122#52119/key letsencrypt: view external: updating zone 'ip6tunnel.tk/IN': adding an RR at '_acme-challenge.test.ddns.flex-sys.us.ip6tunnel.tk' TXT "8YVbEhYivK2XhImgfDEvNOEv9gs5MKpfOLYUjwgyoXM"
Dec 24 21:55:35 ns2 named[2865777]: client @0x7f44980e2d90 154.x.x.122#52119/key letsencrypt: view external: updating zone 'ip6tunnel.tk/IN': update rejected: post update name server sanity check failed
What is the expected correct behavior?
Dec 24 21:01:21 ns2 named[2865777]: client @0x7f449aefe0d0 154.x.x.122#40284/key letsencrypt: view external: updating zone 'ip6tunnel.tk/IN': adding an RR at '_acme-challenge.test.ddns.flex-sys.us.ip6tunnel.tk' TXT "8YVbEhYivK2XhImgfDEvNOEv9gs5MKpfOLYUjwgyo>
Relevant configuration files
Configs are working for nsupdate for shorter (sub)domain names, no policies are being enforected
Relevant logs and/or screenshots
[root@ddns ~]# dig -t txt _acme-challenge.test.ddns.flex-sys.us.ip6tunnel.tk
; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8 <<>> -t txt _acme-challenge.test.ddns.flex-sys.us.ip6tunnel.tk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34443
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.test.ddns.flex-sys.us.ip6tunnel.tk. IN TXT
;; AUTHORITY SECTION:
ip6tunnel.tk. 1799 IN SOA ns1.ddns.flex-sys.us. admin.flex-sys.us.ip6tunnel.tk. 2020122435 3600 600 1209600 3600
;; Query time: 42 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Dec 24 21:02:58 EST 2020
;; MSG SIZE rcvd: 141
Wildcard exists
[root@ddns ~]# dig -t txt _acme-challenge.*.ip6tunnel.tk
; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8 <<>> -t txt _acme-challenge.*.ip6tunnel.tk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46582
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.*.ip6tunnel.tk. IN TXT
;; ANSWER SECTION:
_acme-challenge.*.ip6tunnel.tk. 119 IN TXT "8YVbEhYivK2XhImgfDEvNOEv9gs5MKpfOLYUjwgyoXM"
Possible fixes
No fixes tried, tried to use wild cards for long subdomains, however it will not resolve specified