nsupdate fails with tsig error.
Anthony Ercolano
anthony.ercolano at gmail.com
Thu Nov 29 01:58:15 UTC 2007
Here is a copy of my dhcpd.conf (secrets obscured).
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
option domain-name "ercolano.com";
option domain-name-servers 209.181.88.209,209.181.88.210;
default-lease-time 2592000;
ddns-update-style interim;
ddns-updates on;
ddns-domainname "ercolano.com";
ddns-rev-domainname "10.in-addr.arpa";
ignore client-updates;
authoritative;
key ns1-dhcpsrc.ercolano.net. {
algorithm hmac-md5;
secret "supersecretsecret==";
};
zone 10.in-addr.arpa {
primary 209.181.88.209;
key ns1-dhcpsrc.ercolano.net.;
}
zone ercolano.com {
primary 209.181.88.209;
key ns1-dhcpsrc.ercolano.net.;
}
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.150 10.0.0.200;
option routers 10.0.0.1;
ddns-hostname =
pick ( option host-name,
concat("dhcp-",binary-to-ascii (10,8,"-",leased-address)));
host soekris1 {
option host-name "soekris1";
hardware ethernet 00:00:24:C4:7B:74 ;
fixed-address 10.0.0.61;
option root-path "/tftpboot";
filename "/pxeboot";
}
host soekris2 {
option host-name "soekris2";
hardware ethernet 00:00:24:C1:36:00 ;
fixed-address 10.0.0.62;
option root-path "/tftpboot";
filename "/pxeboot";
}
}
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
This dhcp server lives on an internal network address of 10.0.0.xx
Here is the named.conf file on 209.181.88.209
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
acl "frendsnameserver" { 192.0.0.0/24; };
acl trusted
{209.181.88.209;209.181.88.210;209.181.88.211;209.181.88.212;209.181.88.213;209.181.88.214
;localhost;localnets;};
key ns1-ns2.ercolano.net. {
algorithm hmac-md5;
secret "another super secret==";
};
key ns1-dhcpsrc.ercolano.net. {
algorithm hmac-md5;
secret "supersecretsecret==";
};
server 209.181.88.210 {
keys { ns1-ns2.ercolano.net.; };
};
server 209.181.88.214 {
keys { ns1-dhcpsc.ercolano.net.; };
};
options {
directory "/var/bind";
// uncomment the following lines to turn on DNS forwarding,
// and change the forwarding ip address(es) :
//forward first;
//forwarders {
// 123.123.123.123;
// 123.123.123.123;
//};
// listen-on-v6 { none; };
// listen-on { 127.0.0.1; };
// to allow only specific hosts to use the DNS server:
//allow-query {
// 127.0.0.1;
//};
allow-transfer { none; };
allow-query { any; };
allow-recursion { trusted; };
allow-query-cache { trusted; };
allow-update { none; };
notify-source * port 53;
// if you have problems and are behind a firewall:
query-source address * port 53;
pid-file "/var/run/named/named.pid";
version "No";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "pri/localhost.zone";
notify no;
};
zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
notify no;
};
zone "10.IN-ADDR.ARPA" {
type master;
file "pri/10.zone";
allow-update { key ns1-dhcpsrc.ercolano.net.; };
allow-transfer { key ns1-ns2.ercolano.net.; key ns1-
dhcpsrc.ercolano.net.; };
};
zone "ercolano.net" IN {
type master;
file "pri/ercolano.net.zone";
allow-transfer { friendsnameserver; key ns1-ns2.ercolano.net.; key
ns1-dhcpsrc.ercolano.net.; };
};
zone "ercolano.org" IN {
type master;
file "pri/ercolano.org.zone";
allow-transfer { friendsnameserver; key ns1-ns2.ercolano.net.; key
ns1-dhcpsrc.ercolano.net.; };
};
zone "ercolano.com" IN {
type master;
file "pri/ercolano.com.zone";
allow-update { key ns1-dhcpsrc.ercolano.net.; };
allow-transfer { friendsnameserver; key ns1-ns2.ercolano.net.; key
ns1-dhcpsrc.ercolano.net.; };
};
zone "208-214.88.181.209.in-addr.arpa" IN {
type master;
file "pri/208-214.88.181.209.zone";
allow-transfer { friendsnameserver; key ns1-ns2.ercolano.net.; key
ns1-dhcpsrc.ercolano.net.; };
};
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
If I execute the following nsupdate -d on the dhcp server machine I get:
dhcpsrc dhcp # nsupdate -d
> server 209.181.88.209
> zone ercolano.com
> key ns1-dhcpsrc.ercolano.net. supersecretsecret==
> update add bogu.ercolano.com 300 A 10.0.0.57
> send
Sending update to 209.181.88.209#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 40437
;; flags: ; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;ercolano.com. IN SOA
;; UPDATE SECTION:
bogu.ercolano.com. 300 IN A 10.0.0.57
;; TSIG PSEUDOSECTION:
ns1-dhcpsrc.ercolano.net. 0 ANY TSIG hmac-md5.sig-alg.reg.int.
1196299697 300 16 hmmmmmmm== 40437 NOERROR 0
; TSIG error with server: tsig indicates error
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id: 40437
;; flags: qr ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; TSIG PSEUDOSECTION:
ns1-dhcpsrc.ercolano.net. 0 ANY TSIG hmac-md5.sig-alg.reg.int.
1196299697 300 0 40437 BADSIG 0
The error message on the bind server contains:
Nov 28 17:43:56 mail named[24825]: client 209.181.88.214#22283:
request has invalid signature: TSIG ns1-dhcpsrc.ercolano.net: tsig
verify failure (BADSIG)
Any thoughts on why this doesn't work?
Any thoughts on what sort of logging would be especially helpful on
the bind server for finding the problem?
Could there be issues with the fact that the dhcp request is
initiating server with nat'ed address 10.0.0.37 going through a cisco
dsl router and coming into the bind server, which is at 209.181.88.209
with the request appearing as though NOW initiated on address
209.181.88.214?
Thanks!
More information about the dhcp-users
mailing list