nsupdate – update failed: REFUSED

A while back, the https://www.freebsddiary.org/topics.php#opteron – the colo facility was purchased and the new owners are not interested in donating services to open source projects.

That host also acted as a DNS host for all my domain. I pressed a small VPS into service. It handled the query services fine, but updates were sluggish. It took a few hours for it to catch up to Let’s Encrypt renewals.

To be fair, this $5 box does a decent job as an external monitoring host.

Over the weekend, I configured another host as a name server.

Monitoring proved it never lagged with updates.

Today, I pressed the buttons to make this host the new DNS host..

I’ve obscured the actual IP addresses and hostnames, just because.

The first attempt

Here I go, deleting the old, adding the new ones…

[dns-hidden-master dan ~] % nsupdate -k ~/Kdan.dns.hidden.master.+162+19240.key
> zone example.net.
> update delete ns3.example.net.      IN      AAAA       2001:DB8:800:10::3156:8001
> update delete ns3.example.net.  IN      A       198.51.100.82
> update add    ns3.example.net. 600 IN   AAAA   2001:DB8:2000:11:8a8b:cf57:2c48:370d
> update add    ns3.example.net. 600 IN   A   198.51.100.172
> show
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;example.net.			IN	SOA

;; UPDATE SECTION:
ns3.example.net.	0	NONE	AAAA	2001:DB8:800:10::3156:8001
ns3.example.net.	0	NONE	A	198.51.100.82
ns3.example.net.	600	IN	AAAA	2001:DB8:2000:11:8a8b:cf57:2c48:370d
ns3.example.net.	600	IN	A	198.51.100.172

> send
; TSIG error with server: tsig indicates error
update failed: REFUSED(BADKEY)
> ^D%

Oh, what? Perhaps I should not have supplied the .key bit. Let’s try again.

[dns-hidden-master dan ~] % nsupdate -k ~/Kdan.dns.hidden.master.+162+19240
> server dns-hidden-master.int.example.net
> zone example.net.
> update delete ns3.example.net.      IN      AAAA       2001:DB8:800:10::3156:8001
> update delete ns3.example.net.  IN      A       198.51.100.82
> 
update failed: REFUSED
> update add    ns3.example.net. 600 IN   AAAA   2001:DB8:2000:11:8a8b:cf57:2c48:370d
> update add    ns3.example.net. 600 IN   A   198.51.100.172
> ^D%

Eh?

Hmm, OK, I will paste one row at a time:

[dns-hidden-master dan ~] % nsupdate -k ~/Kdan.dns.hidden.master.+162+19240
> server dns-hidden-master.int.example.net
> zone example.net.
> update delete ns3.example.net.      IN      AAAA       2001:DB8:800:10::3156:8001
> update delete ns3.example.net.  IN      A       198.51.100.82
> 
update failed: REFUSED
> update add    ns3.example.net. 600 IN   AAAA   2001:DB8:2000:11:8a8b:cf57:2c48:370d
> update add    ns3.example.net. 600 IN   A   198.51.100.172
> ^D%

Nope.

Oh wait, perhaps I have to do one at a time because it’s my name server.

[dns-hidden-master dan ~] % nsupdate -k ~/Kdan.dns.hidden.master.+162+19240
> server dns-hidden-master.int.example.net
> zone example.net.
> update delete ns3.example.net.      IN      AAAA       2001:DB8:800:10::3156:8001
> update add    ns3.example.net. 600 IN   AAAA   2001:DB8:2000:11:8a8b:cf57:2c48:370d
> show
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;example.net.			IN	SOA

;; UPDATE SECTION:
ns3.example.net.	0	NONE	AAAA	2001:DB8:800:10::3156:8001
ns3.example.net.	600	IN	AAAA	2001:DB8:2000:11:8a8b:cf57:2c48:370d

> send
> update delete ns3.example.net.  IN      A       198.51.100.82
> update add    ns3.example.net. 600 IN   A   198.51.100.172
> send
> 

Yep, that might be it. I may have gotten away with just one send. Perhaps I will try that next time.

Not shown

Not shown here, I also updated the glue records at my domain name registrar.