tsig key not found
Anand Buddhdev
anandb at ripe.net
Wed Jan 17 17:26:19 UTC 2024
On 17/01/2024 18:18, Michael Lipp wrote:
Hi Michael,
> I have defined a key in named.conf:
>
> |key "acme-dns01" { algorithm hmac-sha256; secret
> "+m8fujTWD3qb0LkJFP7HPCZAbLlWBMtwtbNPEkvAt7E="; };|
Your key algorithm is hmac-sha256, but see below...
[snip]
> I'm using the key in a |grant| (but this doesn't really matter):
>
> |update-policy { grant acme-dns01 zonesub txt; };|
>
> When I try to make use of the "key:secret" using |nsupdate|, it is sent
> as expected:
>
> |;; TSIG PSEUDOSECTION: acme-dns01. 0 ANY TSIG hmac-md5.sig-alg.reg.int.
> 1705509748 300 16 tcU/8lYs1VEPZfcM5C3hZw== 13850 NOERROR 0 |
>
> But I get a |BADKEY| in the response, which means that the key is
> unknown <https://bind9.readthedocs.io/en/v9.16.42/advanced.html#errors>.
Note the hmac-md5 there. You need to precede the key with hmac-sha256,
without which, nsupdate defaults to hmac-md5 (documented in the nsupdate
man page).
Regards,
Anand Buddhdev
RIPE NCC
More information about the bind-users
mailing list