[DESPERATE] getting bind 9.1.0 to do dynamic dns update
Ian C. Sison
ian.s at qsr.com.ph
Fri Feb 23 02:36:44 UTC 2001
Hi I've got a seemingly unsolvable problem (at least on my end)
I've got two servers, one the main dns with a public static IP, and the
second on a dynamic IP. My intention is for the second to update the DNS
A record on the main dns.
Simple right? Should be easy because there's actually an FAQ entry in
ISC's site.
Not.
First of all, the FAQ entry was for bind 8.x; the dnskeygen command
doesn't work out anymore, as it's changed to dnssec-keygen in bind 9 with
a whole new parameter set.
Anyhow, i tried this command:
==============================================================
# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST ns1-drillbit.
==============================================================
on the main dns server. This command outputted 2 files (as expected). So
i get the private key from inside one of the files (the keys are identical
in both files BTW) and stick it in the main dns server's named.conf
==============================================================
key ns1-drillbit. {
algorithm hmac-md5;
secret "wncrUU8MdUxHGpg8eKKq4w==";
};
==============================================================
and use it in my domain:
==============================================================
zone "test.domain.ph." {
type master;
file "db.test.domain.ph";
allow-update { key ns1-drillbit. ; };
notify yes;
};
==============================================================
I then copy these two files into the client system and issue the
ff: command on the client system;
==============================================================
# nsupdate -d -k Kns1-drillbit.+157+46334.private update
==============================================================
the file "update" contains this:
==============================================================
server 192.168.1.5
zone test.domain.ph.
update add host1.test.domain.ph 86400 A 192.168.1.5
==============================================================
i then get this error:
==============================================================
keycreate
dns_request_getresponse: tsig indicates error
==============================================================
Looking at /var/log/messages on the main DNS server:
==============================================================
Feb 22 20:24:39 ns1 named[20334]: client 192.168.1.169#1024: request has
invalid signature: tsig verify failure
==============================================================
Now the question is - why? I've followed everything the FAQ said, only
modifying it for dnssec-keygen, and it won't work. I've tried removing
the 'key' item in 'allow-update' and just placing an IP address, and the
update proceeded correctly. So i'm thinking its definitely the keys that
are the problem.
Please i need your help, any inputs would be very very appreciated!
BTW, i'm running the bind 9.1.0 on two Linux-Mandrake boxes.
More information about the bind-users
mailing list