Unable to add hosts due to DNS error

Tom_Verdaat1 · July 22, 2013, 9:40am

Hi all,

Trying to set up a Foreman server with Ubuntu 12.04 on a Virtualbox VM.
I've installed foreman and foreman-proxy with DNS and DHCP using
foreman-installer. Went through all the settings, including adding the
localhost proxy (https://master.virtualbox.verdaat.org:8443) a domain (
virtualbox.verdaat.org), a subnet (10.20.0.0 with netmask 255.255.0.0) and
linked the three of them together.

I can add hosts when I don't set the DNS proxy for the subnet, but it won't
work when I set the foreman-proxy to be the DNS proxy for the subnet. I'm
not very knowledgeable when it comes to DNS and BIND so I'm wondering if
anybody could help me solve this mystery? Thanks!

Syslog only logs this:

Jul 21 18:05:30 master named[1021]: client 127.0.0.1#11640: update
> '10.in-addr.arpa/IN' denied

But the foreman-proxy log has some more detail:

> D, [2013-07-22T00:30:52.067423 #2207] DEBUG – : running /usr/bin/nsupdate
> -k /etc/bind/rndc.key
> D, [2013-07-22T00:30:52.091070 #2207] DEBUG – : nsupdate: executed -
> server 127.0.0.1
> D, [2013-07-22T00:30:52.139621 #2207] DEBUG – : nsupdate: executed -
> update add storage-3.virtualbox.verdaat.org. 86400 A 10.20.0.31
> D, [2013-07-22T00:30:52.567515 #2207] DEBUG – : running /usr/bin/nsupdate
> -k /etc/bind/rndc.key
> D, [2013-07-22T00:30:52.602866 #2207] DEBUG – : nsupdate: executed -
> server 127.0.0.1
> D, [2013-07-22T00:30:52.634044 #2207] DEBUG – : nsupdate: executed -
> update add 31.0.20.10.in-addr.arpa. 86400 IN PTR
> storage-3.virtualbox.verdaat.org
> D, [2013-07-22T00:30:52.754173 #2207] DEBUG – : nsupdate: errors
> Answer:
> ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 5795
> ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
> ;; ZONE SECTION:
> ;10.in-addr.arpa. IN SOA
>
> ;; TSIG PSEUDOSECTION:
> rndc-key. 0 ANY TSIG hmac-md5.sig-alg.reg.int.
> 1374445852 300 16 +olAIdCXUzJZORdSJVm20A== 5795 NOERROR 0
> E, [2013-07-22T00:30:52.756733 #2207] ERROR – : Update errors: Answer:
> ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 5795
> ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
> ;; ZONE SECTION:
> ;10.in-addr.arpa. IN SOA
>
> ;; TSIG PSEUDOSECTION:
> rndc-key. 0 ANY TSIG hmac-md5.sig-alg.reg.int.
> 1374445852 300 16 +olAIdCXUzJZORdSJVm20A== 5795 NOERROR 0
> D, [2013-07-22T00:30:52.756832 #2207] DEBUG – :
> /usr/share/foreman-proxy/bin/…/lib/proxy/dns/nsupdate.rb:80:in `nsupdate'

And I get the same result when I try to run the failed command manually
with nsupdate:

$ sudo nsupdate -d -k /etc/bind/rndc.key
> Creating key…
> Creating key…
> namefromtext
> keycreate
> > update add 31.0.20.10.in-addr.arpa. 86400 IN PTR
> storage-3.virtualbox.verdaat.org
> > send
> Reply from SOA query:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 38896
> ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;31.0.20.10.in-addr.arpa. IN SOA
>
> ;; AUTHORITY SECTION:
> 10.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid.
> 1 3600 1200 604800 10800
>
> Found zone name: 10.in-addr.arpa
> The master is: localhost
> Sending update to 127.0.0.1#53
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 21086
> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
> ;; UPDATE SECTION:
> 31.0.20.10.in-addr.arpa. 86400 IN PTR
> storage-3.virtualbox.verdaat.org.
>
> ;; TSIG PSEUDOSECTION:
> rndc-key. 0 ANY TSIG hmac-md5.sig-alg.reg.int.
> 1374446937 300 16 rGQ1ZNtqkX2F1jSM7C9uZg== 21086 NOERROR 0
>
>
> Reply from update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 21086
> ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
> ;; ZONE SECTION:
> ;10.in-addr.arpa. IN SOA
>
> ;; TSIG PSEUDOSECTION:
> rndc-key. 0 ANY TSIG hmac-md5.sig-alg.reg.int.
> 1374446937 300 16 /6dwBcXQWEEi3dJmDWUG+w== 21086 NOERROR 0

This is on a fresh Ubuntu installation and I didn't make any manual
modifications to how Foreman configured BIND. Suspected file permission
issues but disabling Apparmour didn't help. Then investigated if this was
an issue sending DNS records upstream to the primary nameserver for the
main domain (verdaat.org) but the logs on that server also don't show
anything. Seems like it's the PRT reverse lookup record causing the issue,
with the localhost BIND server refusing it, while adding the A record does
complete.

So what's going on? What am I doing wrong? What did I forget? Or is it a
bug? How do I fix this?

Thanks!

Tom