tsig key not found
Michael Lipp
mnl at mnl.de
Wed Jan 17 17:40:35 UTC 2024
Thanks a lot! I spent almost a day on testing different configurations
and key names (examples often use fqdns for the key names and I thought
this might be the cause of the problem).
I suppose I would eventually have found out about this if the response
had been BADSIG (as decribed here
https://bind9.readthedocs.io/en/v9.16.42/advanced.html#errors). As it
is, I was too focused on finding a problem with defining a key at all.
Maybe pointing out this would be an acceptable issue...
Thanks again!
- Michael
Am 17.01.24 um 18:26 schrieb Anand Buddhdev:
> On 17/01/2024 18:18, Michael Lipp wrote:
>
> Hi Michael,
>
>> I have defined a key in named.conf:
>>
>> |key "acme-dns01" { algorithm hmac-sha256; secret
>> "+m8fujTWD3qb0LkJFP7HPCZAbLlWBMtwtbNPEkvAt7E="; };|
>
> Your key algorithm is hmac-sha256, but see below...
>
> [snip]
>
>> I'm using the key in a |grant| (but this doesn't really matter):
>>
>> |update-policy { grant acme-dns01 zonesub txt; };|
>>
>> When I try to make use of the "key:secret" using |nsupdate|, it is
>> sent as expected:
>>
>> |;; TSIG PSEUDOSECTION: acme-dns01. 0 ANY TSIG
>> hmac-md5.sig-alg.reg.int. 1705509748 300 16 tcU/8lYs1VEPZfcM5C3hZw==
>> 13850 NOERROR 0 |
>>
>> But I get a |BADKEY| in the response, which means that the key is
>> unknown <https://bind9.readthedocs.io/en/v9.16.42/advanced.html#errors>.
>
> Note the hmac-md5 there. You need to precede the key with hmac-sha256,
> without which, nsupdate defaults to hmac-md5 (documented in the
> nsupdate man page).
>
> Regards,
> Anand Buddhdev
> RIPE NCC
More information about the bind-users
mailing list