Password (Token)? is bad (but I've never change)

acculeer.dedyn.io · August 30, 2022, 4:48pm

Dear all,
sorry for my bad English. A lot of years my dedyn.io account is running without errors, many thanks for this. Today, it’s not work. The updatelog I read: “badauth”. Why? I’ve never change every things for my account. To update, i use a cronjob: “echo url=‘https://update.dedyn.io/update?username=myaccount.dedyn.io&password=long..token....fafaf’ |curl -k -o /var/log/myaccount.log -K -” This run very fine, a lot of years. I have reset and confirm my password, but i don’t understand the things to create a new token? How can i get a new token? I don’t understand this page: Manage Tokens — deSEC DNS API documentation ? A token for one domain is needed. Exist a other (easy) way to create this?
Thank you for help

fiwswe · August 30, 2022, 5:51pm

You seem to be using the Query string method to authenticate:
https://desec.readthedocs.io/en/latest/dyndns/update-api.html#query-string-method-discouraged

This is not really recommended but the documentation does not forbid it either. But maybe something is broken there? I have never used it so I wouldn’t notice.

It would be better to switch to the HTTP Token authentication method:
https://desec.readthedocs.io/en/latest/dyndns/update-api.html#http-token-authentication

See also:
https://desec.readthedocs.io/en/latest/dyndns/update-api.html#examples

Why do you specify the curl -k option? https://update.dedyn.io uses a secure and generally trusted certificate.

Also the complicated pipe, -K - construction is really not required. Just use:
curl --url 'https://update.dedyn.io?hostname=<domain>' --header 'Authorization: Token <your authorization token>'

Replace <domain> with your deDyn domain name, i.e. example.dedyn.io, and <your authorization token> with, you guessed it, your token. (Make sure it’s the token and not the token ID! The token is only shown exactly once when it is created. If you missed it, you need to create a new one.)

To manage tokens you can also just sign in using the web interface at:
https://desec.io/login

Then switch to Token Management and do your thing…

HTH
fiwswe

nils · August 30, 2022, 9:41pm

Hi acculeer,

welcome to deSEC and thanks for your post.

In the early days of deSEC, email addresses provided by user registrations were not confirmed, meaning that we did not send an email with an account activation link. We thus had many email addresses in our database that we could not send emails to without violation of the double opt-in protocol. If only one of them leads to a spam honeypot, the reputation of our email server would suffer, which would affect the quality of service all of our users.

We also realized in the past couple of years that running a DNS hosting service reliably and securely sometimes requires direct and timely communication to our users. To fix above situation so that we can email everyone on deSEC if needed, we decided to validate all of addresses associated with the ‘old’ user accounts. We send everyone an email with an confirmation link.

Due to the lack of double-opt-in, we could not send follow-up emails with reminders, and when the confirmation links we sent expired, the user accounts ended up in an deadlocked state that, on the one hand, made it impossible for us to contact the accounts owner and, on the other hand, is hard for us to maintain.

After an additional grace period, we deleted the remaining accounts that had not been confirmed or otherwise contacted support.

Given the timing of your message, it seems likely that you were affected by this, perhaps because the email sent with regard to your account ended up in a spam filter. Our apologies for interrupting your Internet services. Please go ahead and re-register your account and domain name!

Best,
Nils

acculeer.dedyn.io · September 1, 2022, 12:14pm

thank for answer,
nils has the solution (no valid mail such no confirm account). It’s a verry old account. The “k” option helps to create logfile in /var/log and i can see status (good or bad) .
I know, better solutions exist, but “never change …”

acculeer.dedyn.io · September 1, 2022, 12:22pm

Thank you for support,
yes, it’s old account and the (invalid) mail address nobody can use to confirm.
I’ve re-register my account with a new mail. And now, I’ve new token, system is running very fine

fiwswe · September 1, 2022, 12:43pm

@acculeer.dedyn.io:
I know what you mean about “never change …”

Maybe I have a different version of curl but my man page says -k is a synonym to --insecure, thus allowing certificates that don’t validate. -K (capital letter K) means: “Specify a text file to read curl arguments from” and the following - makes that file be stdin. So I see nothing relating to log files there. This is curl 7.84.0 on OpenBSD 7.1 amd64 btw.

Glad you found a solution and thanks for the feedback!

Take care
fiwswe