On 17/01/2024 18:18, Michael Lipp wrote:
Hi Michael,
I have defined a key in named.conf:
|key "acme-dns01" { algorithm hmac-sha256; secret
"+m8fujTWD3qb0LkJFP7HPCZAbLlWBMtwtbNPEkvAt7E="; };|
Your key algorithm is hmac-sha256, but see below...
[snip]
I'm using the key in a |grant| (but this doesn't really matter):
|update-policy { grant acme-dns01 zonesub txt; };|
When I try to make use of the "key:secret" using |nsupdate|, it is sent
as expected:
|;; TSIG PSEUDOSECTION: acme-dns01. 0 ANY TSIG hmac-md5.sig-alg.reg.int.
1705509748 300 16 tcU/8lYs1VEPZfcM5C3hZw== 13850 NOERROR 0 |
But I get a |BADKEY| in the response, which means that the key is
unknown <https://bind9.readthedocs.io/en/v9.16.42/advanced.html#errors>.
Note the hmac-md5 there. You need to precede the key with hmac-sha256,
without which, nsupdate defaults to hmac-md5 (documented in the nsupdate
man page).
Regards,
Anand Buddhdev
RIPE NCC
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
