DDNS and TSIG

Kevin Darcy kcd at daimlerchrysler.com
Thu Oct 21 21:45:30 UTC 2004 

I don't claim to be a crypto expert, but I thought keys of type "ZONE" 
were only for the whole DNSSEC shebang (KEY/DNSKEY records, etc.). The 
dhcp.conf man page example uses a "USER" key type, and I've always used 
a "HOST" key type. Have you tried either of those?

                                                                         
                                             - Kevin

Kamus of Kadizhar wrote:

>I know this has probably been discussed to death, so my apologies if I
>missed it in the archives....
>
>I just set up a new server.  It's set up using Fedora Core 2.
>
>I am running bind 9.2.3 (BIND 9.2.3 -u named -t /var/named/chroot) and
>dhcpd V3.0.1rc14.
>
>I've been through my entire TSIG configuration; when a client is assigned
>a lease, I get:
>
>Oct 21 10:19:51 kahn dhcpd: Unable to add forward map from tnd-253.tnd.lan
>to 192.168.141.253: invalid TSIG key
>
>I have a similar set up with and older bind/dhcpd combination that works
>just fine.  I set this one up identical to the old one; no joy.
>
>I recreated the keys
>
>dnssec-keygen -a HMAC-MD5 -b 128 -p 3 -n ZONE kahn.tnd.lan; no joy.
>
>I've tried the default keygen command from the dhcpd.conf manpage; no joy.
>
>I've been through a couple of FAQs on the web and I've checked my setup;
>it is as similar as I can make it, no joy.  The only difference is that
>the old setup is not running chrooted bind; this one is.  Does this make
>any difference to TSIG?
>
>named.conf:
>
>key kahn.tnd.lan {
>        algorithm hmac-md5 ;
>        secret "<key>" ;
>        } ;
>
>zone "tnd.lan"{
>        type master;
>        file "tnd.hosts";
>        allow-update { key kahn.tnd.lan ; };
>};
>
>zone "141.168.192.in-addr.arpa"{
>        type master;
>        file "tnd.hosts.rev";
>        allow-update { key kahn.tnd.lan ; };
>
>dhcpd.conf:
>
>ddns-update-style interim;
>
>key kahn.tnd.lan {
>        algorithm hmac-md5 ;
>        secret "<key>" ;
>        }
>
>zone tnd.lan. {
>        key kahn.tnd.lan ;
>       }
>
>zone 141.168.192.in-addr.arpa. {
>        key kahn.tnd.lan ;
>       }
>
>Can anyone give me some pointers on where to look?  I can't for the life
>of me figure out what I'm doing wrong....
>
>Thanks,
>
>--Kamus
>
>
>
>
>  
>

More information about the bind-users mailing list