0

I am trying to make a simple DNS update using Python's dns.update. However, every-time i run the script i get "rcode REFUSED". I tried a series of different permutations but cant seem to figure where i am going wrong. I am able to directly use this key with nsupdates and make changes.

I am running this on Python 2.7

My key looks like this 

key test.testdomain.com. {
        algorithm HMAC-MD5;
        secret "5MbEv7VrELN7ztkNMGSUvfimpoLAEzdmDzAHE9X4ax0ZDxiYnz1rkIx29SQru2AHQ3XbRBHmY7EQ/xD/2FocCA==";
};

Here is my code, I have hard-coded it all for the purpose of troubleshooting. 

import sys
import dns.update
import dns.query
import dns.tsigkeyring
import dns.resolver

def main():
    UpdateDNS()
####################################################################################################################
def UpdateDNS():
    # set zone and dnsserver
    zone = 'testdomain.com'
    dnshostname = 'dns-test.testdomain.com'
    keyring = dns.tsigkeyring.from_text ({'test.testdomain.com.' : '5MbEv7VrELN7ztkNMGSUvfimpoLAEzdmDzAHE9X4ax0ZDxiYnz1rkIx29SQru2AHQ3XbRBHmY7EQ/xD/2FocCA=='})
    update = dns.update.Update(zone, keyring = keyring, keyalgorithm = 'hmac-md5.sig-alg.reg.int')
    update.add('foo.testdomain.com', 8600, 'A', '179.33.72.36')
    response = dns.query.tcp(update, 'dns-test.testdomain.com')
    print response

#########################################################
# Main
#########################################################
if __name__ == '__main__':
    main()

Here is my response

x1c\x08'}
id 45721
opcode UPDATE
rcode REFUSED
flags QR RA
;ZONE
testdomain.com. IN SOA 
;PREREQ
;UPDATE
;ADDITIONAL
sdhir
  • 41
  • 7

1 Answers1

0

Generally your code looks OK to me. I just tested essentially the same code on my name server and it works like a charm.

Did you allow updates for the TSIG key to the zone you're trying to update? There should be something like this in your bind config (probably there as you wrote you can use the key manually, but just to make sure):

zone "testdomain.com" IN {
    type master;
    [...]
    allow-update {
        key "test.testdomain.com.";
    };
};

What do the name server logs say when you run your update script? Normally there should be a reason for rejecting the update:

view internal: signer "test-key" denied
view internal: request has invalid signature: TSIG test-key: tsig verify failure (BADKEY)

The former would indicate that the key is not allowed to update the zone, the latter that the key itself wasn't accepted (though that would also have resulted in an exception when running the code).