nsupdate

[Kevin Darcy]

Philipp Dreimann wrote:

> hello everyone,
> i've some problems with bind9 and nsupdate..
> i'd like to update my zones via nsupdate so i did the following:
>
> dnssec-keygen -a hmac-md5 -b 256 -r /dev/urandom -n zone dreimann.net
>
> yes i know that -r /dev/urandom isnt secure, but /dev/random didn't work. i
> compiled my server 2 times but nothing happend. ;-)
>
> i copied the key from Kdreiman.net....private and put it in named.conf
> <snip>
> key "dreimann.net" {
>         algorithm hmac-md5;
>         secret "keyasdfasdfasdf";
> };
> </snip>
>
> heres my named.conf part for dreimann.net
> <snip>
> zone "dreimann.net" {
>         type master;
>         file "db/dreimann.net";
>         allow-update { key "dreimann.net"; };
> };
> </snip>
>
> now i trasferred via scp the two Kdreimann.net* files to my lokal system.
>
> and did the following:
> <snip>
> nsupdate -k Kdreimann.net......private
> server mynameserver.com
> zone dreimann.net
> update add test 60 A 123.123.123.132
> send
> </snip>
>
> but nothing happend ;)
>
> and in my nameserver's logfile i found the following:
>
> request has invalid signature: tsig verify failure
>
> can someone give me a hint? :)

The kind of key you need to secure Dynamic Updates via TSIG is a "host" key,
not a "zone" key.


- Kevin