Unable to add forward map: bad DNS key

Mon Jun 9 13:22:32 UTC 2008

Sorry, forgot to say that they secrets were substituted. That rndc-key
is in dhcpd.conf probably comes from some guide I've followed...
Anyways, the key srv2.mydomain.local. was generated with 'dnssec -a
HMAC-MD5 -b 512 -n HOST srv2.mydomain.local.'
I tried generating new 2-bit keys with 'dnssec-keygen -a HMAC-MD5 -b 2
-n HOST test', adding new key statements in my .conf's like this:
key test {
algorithm hmac-md5;
secret "2A==";
}
(Authentic secret this time... ;) ) and then replacing
"srv2.mydomain.local." with "test".
Still, I get the same error.
Is this some syntax error? Forgotten/extra quotes or such?

Best regards
Calle Pettersson

On Jun 5, 9:14 pm, Chris Buxton <cbux... at menandmice.com> wrote:
> The error comes when dhcpd tries to formulate a signed dns update
> message. It can't parse the key. So named never gets a packet because
> dhcpd can't send one.
>
> The problem is in these statements:
>
> key srv2.mydomain.local. {
>         algorithm hmac-md5;
>         secret "mysecret";}
>
> key rndc-key {
>         algorithm hmac-md5;
>         secret "othersecret";
>
> }
>
> If those are truly your key statements, then you have a problem right
> there - those are not valid secrets. If you've replaced your secrets,
> then you must test these secrets in some fashion yourself - we (the
> list) can't test what you don't tell us.
>
> I've not gone over your configs exhaustively. There may be other
> problems.
>
> By the way, there doesn't appear to be any reason why dhcpd needs to
> know the definition of your rndc key. It's not used, that I can see,
> by the rest of dhcpd.conf.
>
> Chris Buxton
> Professional Services
> Men & Mice
>
> On Jun 2, 2008, at 1:12 AM, Calle Pettersson wrote:
>
> > Hello!
> > I am unable to get ddns to work, despite reading just about every
> > guide
> > and article availible... My setup is like this: srv1 is gateway, and
> > "external" services such as apache etc., srv2 is dhcp and dns.
> > When I connect a client, client01 for example, and run dhcpcd, I get
> > this
> > in /var/log/messages on srv2:
>
> > Jun  2 08:53:31 srv2 dhcpd: Unable to add forward map from
> > client01.mydomain.local. to 192.168.0.100: bad DNS key
> > Jun  2 08:53:31 srv2 dhcpd: DHCPREQUEST for 192.168.0.100 from
> > 00:50:8b:8b:78:70 via eth0
> > Jun  2 08:53:31 srv2 dhcpd: DHCPACK on 192.168.0.100 to 00:50:8b:8b:
> > 78:70
> > via eth0
>
> > The "bad DNS key" error appears even if I shut down named. Also, named
> > does not log anything, neither in /var/log/messages or /var/log/named/
> > *,
> > where I've setup logging, even if I set info-level trace.
>
> > Below are my named.conf and dhcpd.conf. If you need any additional
> > information, just ask.
> > Since I've read so many different guides, there is a good chance my
> > configs have a bit too many settings, or even conflicting ones. There
> > doesn't seem to be just one way to do this...
>
> > Best regards
> > Calle Pettersson
>
> > named.conf:
> > key srv2.mydomain.local. {
> >        algorithm hmac-md5;
> >        secret "mysecret";
> > };
> > key rndc-key {
> >       algorithm hmac-md5;
> >       secret "othersecret";
> > };
> > acl "mydomain" {
> >        192.168.0.0/24;
> >        127.0.0.1;
> > };
>
> > controls {
> >       inet 127.0.0.1 port 953
> >              allow { 127.0.0.1; 192.168.0.2; } keys { "rndc-key"; };
> > };
>
> > options {
> >        directory "/var/bind/";
> >        pid-file "/var/run/named/named.pid";
> >        forwarders {
> >                192.168.0.1;
> >        };
> >        listen-on {
> >                127.0.0.1;
> >                192.168.0.2;
> >        };
> >        allow-query { "mydomain"; };
> > };
>
> > zone "." {
> >        type hint;
> >        file "named.ca";
> > };
>
> > zone "mydomain.local" IN {
> >        type master;
> >        file "pri/mydomain.local";
> >        allow-update { key "srv2.mydomain.local."; };
> > };
> > zone "0.168.192.in-addr.arpa" IN {
> >        type master;
> >        file "pri/192.168.0.rev";
> >        allow-update { key "srv2.mydomain.local."; };
> > };
>
> > zone "localhost" IN {
> >        type master;
> >        file "pri/localhost";
> >        allow-update { none; };
> > };
> > zone "0.0.127.in-addr.arpa" IN {
> >        type master;
> >        file "pri/localhost.rev";
> >        allow-update { none; };
> > };
>
> > dhcpd.conf:
> > server-identifier 192.168.0.2;
> > option domain-name-servers 192.168.0.2;
>
> > ddns-hostname=pick(option fqdn.hostname, option host-name);
> > ddns-domainname "mydomain.local.";
> > ddns-rev-domainname "in-addr.arpa.";
> > ddns-ttl 3600;
> > ddns-updates on;
> > ddns-update-style interim;
> > #allow client-updates;
> > authoritative;
> > update-static-leases on;
>
> > key srv2.mydomain.local. {
> >        algorithm hmac-md5;
> >        secret "mysecret";
> > }
> > key rndc-key {
> >        algorithm hmac-md5;
> >        secret "othersecret";
> > }
>
> > zone 0.168.192.in-addr.arpa. {
> >        primary 192.168.0.1;
> >        key srv2.mydomain.local.;
> > }
> > zone mydomain.local. {
> >        primary 192.168.0.1;
> >        key srv2.mydomain.local.;
> > }
>
> > default-lease-time 86400;
> > max-lease-time 86400;
>
> > subnet 192.168.0.0 netmask 255.255.255.0 {
> >        option domain-name "mydomain.local";
> >        option routers 192.168.0.1;
> >        range 192.168.0.10 192.168.0.100;
>
> >        group { # Servers
> >                host srv1 {
> >                        hardware ethernet 00:50:8B:8B:78:70;
> >                        fixed-address 192.168.0.1;
> >                }
> >                host srv2 {
> >                        hardware ethernet 00:08:C7:09:AC:F0;
> >                        fixed-address 192.168.0.2;
> >                }
> >        }
> > }