[Kea-users] Failed to secure DDNS updates with TSIG between Kea and Bind
Daniel Herrmann
daniel.herrmann1 at gmail.com
Sun Jun 20 14:40:58 UTC 2021
Hi all,
I am using Kea as DHCP server and Bind as DNS server. The DDNS setup itself works great, but as soon as I add a TSIG key it doesn’t work anymore. Bind complains about wrong signature, Kea logs don’t show anything about TSIG. Config is as follows:
--- Kea ---
{
"DhcpDdns": {
"forward-ddns": {
"ddns-domains": [
{
"dns-servers": [
{
"ip-address": "10.1.2.223",
"port": 53
}
],
"key-name": "kea-ddns",
"name": “xxx-xxx.de."
}
]
},
"loggers": [
{
"debuglevel": 99,
"name": "kea-dhcp-ddns",
"output_options": [
{
"output": "/var/log/kea-ddns.log"
}
],
"severity": "DEBUG"
}
],
"reverse-ddns": {},
"tsig-keys": [
{
"algorithm": "HMAC-SHA512",
"name": "kea-ddns",
"secret": “xxx-key-value-xxx"
}
]
}
}
--- end ---
--- bind config ---
key “kea-ddns" {
algorithm HMAC-SHA512;
secret "xxx-key-value-xxx";
};
zone "xxx-xxx.de" IN {
type master;
file "/var/named/xxx-xxx.de";
notify yes;
allow-update { key kea-ddns; };
};
--- end ---
The logs are not very helpful either:
Bind > 20-Jun-2021 15:28:50.628 client @0x7ffb3c0a25f0 10.1.2.221#45981: request has invalid signature: TSIG kea-ddns: tsig verify failure (BADKEY)
Kea:
--- Kea log ---
2021-06-20 15:38:30.409 DEBUG [kea-dhcp-ddns.d2-to-dns/145650.139735403791552] DHCP_DDNS_STARTING_TRANSACTION Request ID 000101118674DADBE035007DB3F4C79EFFC9D49D79C0DB0BEADC2FECC8CEC42B7612E6:
2021-06-20 15:38:30.409 DEBUG [kea-dhcp-ddns.d2-to-dns/145650.139735403791552] DHCP_DDNS_UPDATE_REQUEST_SENT Request ID 000101118674DADBE035007DB3F4C79EFFC9D49D79C0DB0BEADC2FECC8CEC42B7612E6: Forward Add to server: 10.1.2.223 port:53
2021-06-20 15:38:30.410 DEBUG [kea-dhcp-ddns.asiodns/145650.139735403791552] ASIODNS_FETCH_COMPLETED upstream fetch to 10.1.2.223(53) has now completed
2021-06-20 15:38:30.410 DEBUG [kea-dhcp-ddns.d2-to-dns/145650.139735403791552] DHCP_DDNS_INVALID_RESPONSE received response to DNS Update message is malformed: TSIG verification failed: BADKEY
2021-06-20 15:38:30.410 DEBUG [kea-dhcp-ddns.d2-to-dns/145650.139735403791552] DHCP_DDNS_UPDATE_RESPONSE_RECEIVED Request ID 000101118674DADBE035007DB3F4C79EFFC9D49D79C0DB0BEADC2FECC8CEC42B7612E6: to server: 10.1.2.223 port:53 status: INVALID_RESPONSE
2021-06-20 15:38:30.410 ERROR [kea-dhcp-ddns.d2-to-dns/145650.139735403791552] DHCP_DDNS_FORWARD_ADD_RESP_CORRUPT DHCP_DDNS Request ID 000101118674DADBE035007DB3F4C79EFFC9D49D79C0DB0BEADC2FECC8CEC42B7612E6: received a corrupt response from the DNS server, 10.1.2.223 port:53, while adding forward address mapping for FQDN, dhcp-test.xxx-xxx.de.
2021-06-20 15:38:30.410 DEBUG [kea-dhcp-ddns.d2-to-dns/145650.139735403791552] DHCP_DDNS_UPDATE_REQUEST_SENT Request ID 000101118674DADBE035007DB3F4C79EFFC9D49D79C0DB0BEADC2FECC8CEC42B7612E6: Forward Add to server: 10.1.2.223 port:53
2021-06-20 15:38:30.411 DEBUG [kea-dhcp-ddns.asiodns/145650.139735403791552] ASIODNS_FETCH_COMPLETED upstream fetch to 10.1.2.223(53) has now completed
2021-06-20 15:38:30.411 DEBUG [kea-dhcp-ddns.d2-to-dns/145650.139735403791552] DHCP_DDNS_INVALID_RESPONSE received response to DNS Update message is malformed: TSIG verification failed: BADKEY
2021-06-20 15:38:30.411 DEBUG [kea-dhcp-ddns.d2-to-dns/145650.139735403791552] DHCP_DDNS_UPDATE_RESPONSE_RECEIVED Request ID 000101118674DADBE035007DB3F4C79EFFC9D49D79C0DB0BEADC2FECC8CEC42B7612E6: to server: 10.1.2.223 port:53 status: INVALID_RESPONSE
2021-06-20 15:38:30.411 ERROR [kea-dhcp-ddns.d2-to-dns/145650.139735403791552] DHCP_DDNS_FORWARD_ADD_RESP_CORRUPT DHCP_DDNS Request ID 000101118674DADBE035007DB3F4C79EFFC9D49D79C0DB0BEADC2FECC8CEC42B7612E6: received a corrupt response from the DNS server, 10.1.2.223 port:53, while adding forward address mapping for FQDN, dhcp-test.xxx-xxx.de.
2021-06-20 15:38:30.411 DEBUG [kea-dhcp-ddns.d2-to-dns/145650.139735403791552] DHCP_DDNS_UPDATE_REQUEST_SENT Request ID 000101118674DADBE035007DB3F4C79EFFC9D49D79C0DB0BEADC2FECC8CEC42B7612E6: Forward Add to server: 10.1.2.223 port:53
2021-06-20 15:38:30.411 DEBUG [kea-dhcp-ddns.asiodns/145650.139735403791552] ASIODNS_FETCH_COMPLETED upstream fetch to 10.1.2.223(53) has now completed
2021-06-20 15:38:30.411 DEBUG [kea-dhcp-ddns.d2-to-dns/145650.139735403791552] DHCP_DDNS_INVALID_RESPONSE received response to DNS Update message is malformed: TSIG verification failed: BADKEY
2021-06-20 15:38:30.411 DEBUG [kea-dhcp-ddns.d2-to-dns/145650.139735403791552] DHCP_DDNS_UPDATE_RESPONSE_RECEIVED Request ID 000101118674DADBE035007DB3F4C79EFFC9D49D79C0DB0BEADC2FECC8CEC42B7612E6: to server: 10.1.2.223 port:53 status: INVALID_RESPONSE
2021-06-20 15:38:30.411 ERROR [kea-dhcp-ddns.d2-to-dns/145650.139735403791552] DHCP_DDNS_FORWARD_ADD_RESP_CORRUPT DHCP_DDNS Request ID 000101118674DADBE035007DB3F4C79EFFC9D49D79C0DB0BEADC2FECC8CEC42B7612E6: received a corrupt response from the DNS server, 10.1.2.223 port:53, while adding forward address mapping for FQDN, dhcp-test.xxx-xxx.de.
2021-06-20 15:38:30.411 ERROR [kea-dhcp-ddns.d2-to-dns/145650.139735403791552] DHCP_DDNS_ADD_FAILED DHCP_DDNS Request ID 000101118674DADBE035007DB3F4C79EFFC9D49D79C0DB0BEADC2FECC8CEC42B7612E6: Transaction outcome Status: Failed, Event: NO_MORE_SERVERS_EVT, Forward change: failed, request: Type: 0 (CHG_ADD)
Forward Change: yes
Reverse Change: no
FQDN: [dhcp-test.xxx-xxx.de.]
IP Address: [10.1.20.50]
DHCID: [000101118674DADBE035007DB3F4C79EFFC9D49D79C0DB0BEADC2FECC8CEC42B7612E6]
Lease Expires On: 20210620150043
Lease Length: 1333
Conflict Resolution: yes
--- end ---
Without TSIG config, everything works just fine. Any idea what I’m doing wrong? Thanks in advance and best regards
Daniel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20210620/2c8613e9/attachment-0001.htm>
More information about the Kea-users
mailing list