[Solved, but a Bug?] MIAB DNS Added new Custom DNS did not work

bill.gertz · October 12, 2019, 9:45pm

Note: this is no longer a problem, but a debugging resource.

Have simple single domain serviced by MIAB: blockfish.info. But had run into a real problem. Tried to add new Custom DNS, in this case a CNAME for pong.blockfish.info but the records were not being served by the MIAB DNS. Leaving a record of travails, so others will learn from my mistake.

TL;DR: You cannot add TXT (or even A records as another MIAB admin found out) records with hosts using CNAME records.

To start the new hosts show up in the Custom DNS interface:

Domain Name	Record Type	Value
mail.blockfish.info	CNAME	blockfish.info.	[delete]
mail.blockfish.info	TXT	v=spf1 -all	[delete]
cloud.blockfish.info	CNAME	blockfish.info.	[delete]
cloud.blockfish.info	TXT	v=spf1 -all	[delete]
office.blockfish.info	CNAME	blockfish.info.	[delete]
office.blockfish.info	TXT	v=spf1 -all	[delete]
pong.blockfish.info	CNAME	blockfish.info.	[delete]

The Custom DNS API also works but alters only information on the Custom DNS page; the new records were not being served.

Did a dig from MIAB server directly and can confirm the records were NOT served:

bgertz@blockfish:~$ dig @127.0.0.1 +short pong.blockfish.info
bgertz@blockfish:~$ dig @127.0.0.1 pong.blockfish.info

; <<>> DiG 9.11.3-1ubuntu1.9-Ubuntu <<>> @127.0.0.1 pong.blockfish.info
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, **status: NXDOMAIN**, id: 30320
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: f390ad0fa3e23b5339b96d0d5da246c0edc481db5611d625 (good)
;; QUESTION SECTION:
;pong.blockfish.info.		IN	A

;; AUTHORITY SECTION:
blockfish.info.		1489	IN	SOA	ns1.blockfish.info. hostmaster.blockfish.info. 2019100903 7200 1800 1209600 1800

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Oct 12 23:33:52 CEST 2019
;; MSG SIZE  rcvd: 127

Note that this wasn’t confined to CNAME records, I had the same problem with TXT records as well (Let’s Encrypt challenge records added via the Custom DNS API). I’d updated the system packages and rebooted the system several times to no avail. I’ve tried deleting the new entry, rebooting, then readding the entry. That yielded no soap. Strangely, all of the old Custom DNS records did work:

bgertz@blockfish:~$ dig @127.0.0.1 +short office.blockfish.info TXT
blockfish.info.
"v=spf1 mx -all"

The bit of the zone file from /etc/nsd/zones/blockfish.info.txt looks right (this is the last bit of the file - not whole thing):

cloud	IN	CNAME	blockfish.info.
cloud	IN	TXT	“v=spf1 -all”
mail	IN	CNAME	blockfish.info.
mail	IN	TXT	“v=spf1 -all”
ns1	IN	A	86.81.67.183
ns1	IN	TXT	“v=spf1 -all”
_dmarc.ns1	IN	TXT	“v=DMARC1; p=reject”
ns2	IN	A	86.81.67.183
ns2	IN	TXT	“v=spf1 -all”
_dmarc.ns2	IN	TXT	“v=DMARC1; p=reject”
office	IN	CNAME	blockfish.info.
office	IN	TXT	“v=spf1 -all”
pong	IN	CNAME	blockfish.info.
www	IN	A	86.81.67.183
www	IN	TXT	“v=spf1 -all”
_dmarc.www	IN	TXT	“v=DMARC1; p=reject”

Looking though the corresponding signed zone file I saw no duplicate records, for example there is no CNAME or even A record and (another) CNAME record for the same name. Digging through the nsd.log file showed:

[2019-10-12 23:27:56.520] nsd[2300]: notice: nsd starting (NSD 4.1.17)
[2019-10-12 23:27:56.562] nsd[2313]: error: blockfish.info.txt.signed:97: CNAME and other data at the same name
[2019-10-12 23:27:56.562] nsd[2313]: error: blockfish.info.txt.signed:98: CNAME and other data at the same name
[2019-10-12 23:27:56.562] nsd[2313]: error: blockfish.info.txt.signed:103: CNAME and other data at the same name
[2019-10-12 23:27:56.562] nsd[2313]: error: blockfish.info.txt.signed:104: CNAME and other data at the same name
[2019-10-12 23:27:56.562] nsd[2313]: error: blockfish.info.txt.signed:129: CNAME and other data at the same name
[2019-10-12 23:27:56.562] nsd[2313]: error: blockfish.info.txt.signed:130: CNAME and other data at the same name
[2019-10-12 23:27:56.562] nsd[2313]: error: zone blockfish.info file blockfish.info.txt.signed read with 6 errors
[2019-10-12 23:27:56.563] nsd[2313]: notice: nsd started (NSD 4.1.17), pid 2300
[2019-10-12 23:28:04.059] nsd[2313]: warning: signal received, shutting down...
[2019-10-12 23:28:04.073] nsd[2387]: notice: nsd starting (NSD 4.1.17)
[2019-10-12 23:28:04.115] nsd[2397]: error: blockfish.info.txt.signed:97: CNAME and other data at the same name
[2019-10-12 23:28:04.115] nsd[2397]: error: blockfish.info.txt.signed:98: CNAME and other data at the same name
[2019-10-12 23:28:04.115] nsd[2397]: error: blockfish.info.txt.signed:103: CNAME and other data at the same name
[2019-10-12 23:28:04.115] nsd[2397]: error: blockfish.info.txt.signed:104: CNAME and other data at the same name
[2019-10-12 23:28:04.115] nsd[2397]: error: blockfish.info.txt.signed:129: CNAME and other data at the same name
[2019-10-12 23:28:04.115] nsd[2397]: error: blockfish.info.txt.signed:130: CNAME and other data at the same name
[2019-10-12 23:28:04.115] nsd[2397]: error: zone blockfish.info file blockfish.info.txt.signed read with 6 errors
[2019-10-12 23:28:04.116] nsd[2397]: notice: nsd started (NSD 4.1.17), pid 2387
[2019-10-12 23:28:24.766] nsd[2397]: warning: signal received, shutting down...
[2019-10-12 23:28:24.780] nsd[2431]: notice: nsd starting (NSD 4.1.17)
[2019-10-12 23:28:24.818] nsd[2443]: error: blockfish.info.txt.signed:97: CNAME and other data at the same name
[2019-10-12 23:28:24.818] nsd[2443]: error: blockfish.info.txt.signed:98: CNAME and other data at the same name
[2019-10-12 23:28:24.818] nsd[2443]: error: blockfish.info.txt.signed:103: CNAME and other data at the same name
[2019-10-12 23:28:24.818] nsd[2443]: error: blockfish.info.txt.signed:104: CNAME and other data at the same name
[2019-10-12 23:28:24.818] nsd[2443]: error: blockfish.info.txt.signed:129: CNAME and other data at the same name
[2019-10-12 23:28:24.818] nsd[2443]: error: blockfish.info.txt.signed:130: CNAME and other data at the same name
[2019-10-12 23:28:24.818] nsd[2443]: error: zone blockfish.info file blockfish.info.txt.signed read with 6 errors
[2019-10-12 23:28:24.818] nsd[2443]: notice: nsd started (NSD 4.1.17), pid 2431

Though I needed to regenerate, what appear to be, screwed up signed zone files. But they looked fine - but they weren’t. Could it be you cannot have TXT records for CNAME records? That worked earlier before the last round of updates. Alas no more.

Deleting the TXT records for the systems with CNAME records fixed the problem.

Leaving this table of woe behind so you, beleaguered reader, will fix this more quickly than I did.

But is this a Bug, how do you add Let’s Encrypt DNS-01 challenge TXT records for CNAME hosts if NSD falls over when you do?

byque · February 2, 2021, 4:48pm

This completely solved my problem! So there seems to be a bug when you have CNAME records. In my case I had my maindomain.com without problems. I used to get Let’s Encrypt certificates with wildcards *.maindomain.com by adding the TXT records without problems.
Now, when I added CNAME records, they worked fine.
foo.maindomain.com CNAME bar.maindomain.com
The problem appeared when I did a migration of my maindomain.com, the A DNS records were not updating.
Thanks to this post, I deleted the CNAME records and the DNS record was updated.

cmasterdelphi · May 5, 2021, 7:47pm

I was wondering if this is the same issue which is troubling me.
I have some custom dns record which should be validated with DNS-01 challenge but somehow, the entry does not work anymore since the last MiaB update.

I am out of ideas. It seems to me, thats a similar/same problem but even if it is, I wouldn’t know how to solve it.