robots.org.uk: SkyBroadbandDNSInterception

Free IPA is imperfect but pretty cool once you get to grips with it. The use of DNS Dynamic Updates (secured by GSS-TSIG) is particularly convenient for clients whose address changes as they move between networks, at least as long as your network provider doesn't interfere with the DNS protocol...

The story starts when I noticed that the A and AAAA records for one of hosts had not been updated when I connected it to the Internet. The component of FreeIPA that handles DNS updates is sssd which is not terribly verbose in its default configuration. Only once debug_level is set to 2 do we see logged (in /var/log/sssd/sssd_ipa.example.com):

• [child_sig_handler] (0x0020): child [21647] failed with status [1].
  [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [256]
  [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158239]: Dynamic DNS update failed

Further increasing debug_level to 6 reveals:

• [sdap_dyndns_dns_addrs_done] (0x0400): Detected IP addresses change, will perform an update
  [nsupdate_msg_create_common] (0x0200): Creating update message for auto-discovered realm.
  [be_nsupdate_create_fwd_msg] (0x0400):  -- Begin nsupdate message --
  
  update delete foo.ipa.example.com. in A
  update add foo.ipa.example.com. 1200 in A 192.0.2.29
  send
  update delete foo.ipa.example.com. in AAAA
  update add foo.ipa.example.com. 1200 in AAAA 2001:db8:1:1a01
  send
   -- End nsupdate message --
  [write_pipe_handler] (0x0400): All data has been sent!
  [be_nsupdate_args] (0x0200): nsupdate auth type: GSS-TSIG
  [child_sig_handler] (0x0020): child [19754] failed with status [1].
  [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [256]
  [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158239]: Dynamic DNS update failed
  [sdap_dyndns_update_done] (0x0080): nsupdate failed, retrying.
  [nsupdate_msg_create_common] (0x0200): Creating update message for realm [IPA.EXAMPLE.COM].
  [be_nsupdate_create_fwd_msg] (0x0400):  -- Begin nsupdate message --
  realm IPA.EXAMPLE.COM
  update delete foo.ipa.example.com. in A
  update add foo.ipa.example.com. 1200 in A 192.0.2.29
  send
  update delete foo.ipa.example.com. in AAAA
  update add foo.ipa.example.com. 1200 in AAAA 2001:db8::1a01
  send
  [write_pipe_handler] (0x0400): All data has been sent!
  [be_nsupdate_args] (0x0200): nsupdate auth type: GSS-TSIG
  [child_sig_handler] (0x0020): child [19758] failed with status [1].
  [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [256]
  [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158239]: Dynamic DNS update failed

Now we have enough data to reproduce what sssd is doing when it attempts a DNS update so that we can debug the process.

Having written the quoted nsupdate message out to a file, we authenticate using the host's Kerberos key and then send the message:

• # cat > message << EOF
  realm IPA.EXAMPLE.COM
  update delete foo.ipa.example.com. in A
  update add foo.ipa.example.com. 1200 in A 192.0.2.29
  send
  update delete foo.ipa.example.com. in AAAA
  update add foo.ipa.example.com. 1200 in AAAA 2001:db8::1a01
  send
  EOF
  
  # kinit -k -t /etc/krb5.keytab
  
  # nsupdate -g < message
  ; Communication with 2001:db8:2::1 failed: unexpected error
  dns_request_getresponse: FORMERR
  +++ exited with 1 +++

Not the most informative of errors. At this point I tried to investigate the problem on the DNS server side.

• # rndc trace 9
  # tail -f /var/named/data/named.run

I expected to see something that would give me a clue as to why BIND didn't like the message, but nothing. Eventually I broke out tcpdump and discovered that nsupdate's queries were not even reaching my server!

Now why would that be... surely the ISP can be trusted to faithfully relay packets to their destination, with neither fear nor favour? In the case of Sky Broadband, it seems, it cannot.

CategoryTechnote