Hi all,
I am using Kea as DHCP server and Bind as DNS server. The DDNS setup itself
works great, but as soon as I add a TSIG key it doesn’t work anymore. Bind
complains about wrong signature, Kea logs don’t show anything about TSIG.
Config is as follows:
--- Kea ---
{
"DhcpDdns": {
"forward-ddns": {
"ddns-domains": [
{
"dns-servers": [
{
"ip-address": "10.1.2.223",
"port": 53
}
],
"key-name": "kea-ddns",
"name": “xxx-xxx.de."
}
]
},
"loggers": [
{
"debuglevel": 99,
"name": "kea-dhcp-ddns",
"output_options": [
{
"output": "/var/log/kea-ddns.log"
}
],
"severity": "DEBUG"
}
],
"reverse-ddns": {},
"tsig-keys": [
{
"algorithm": "HMAC-SHA512",
"name": "kea-ddns",
"secret": “xxx-key-value-xxx"
}
]
}
}
--- end ---
--- bind config ---
key “kea-ddns" {
algorithm HMAC-SHA512;
secret "xxx-key-value-xxx";
};
zone "xxx-xxx.de" IN {
type master;
file "/var/named/xxx-xxx.de";
notify yes;
allow-update { key kea-ddns; };
};
--- end ---
The logs are not very helpful either:
Bind > 20-Jun-2021 15:28:50.628 client @0x7ffb3c0a25f0 10.1.2.221#45981:
request has invalid signature: TSIG kea-ddns: tsig verify failure (BADKEY)
Kea:
--- Kea log ---
2021-06-20 15:38:30.409 DEBUG [kea-dhcp-ddns.d2-to-dns/145650.139735403791552]
DHCP_DDNS_STARTING_TRANSACTION Request ID
000101118674DADBE035007DB3F4C79EFFC9D49D79C0DB0BEADC2FECC8CEC42B7612E6:
2021-06-20 15:38:30.409 DEBUG [kea-dhcp-ddns.d2-to-dns/145650.139735403791552]
DHCP_DDNS_UPDATE_REQUEST_SENT Request ID
000101118674DADBE035007DB3F4C79EFFC9D49D79C0DB0BEADC2FECC8CEC42B7612E6: Forward
Add to server: 10.1.2.223 port:53
2021-06-20 15:38:30.410 DEBUG [kea-dhcp-ddns.asiodns/145650.139735403791552]
ASIODNS_FETCH_COMPLETED upstream fetch to 10.1.2.223(53) has now completed
2021-06-20 15:38:30.410 DEBUG [kea-dhcp-ddns.d2-to-dns/145650.139735403791552]
DHCP_DDNS_INVALID_RESPONSE received response to DNS Update message is
malformed: TSIG verification failed: BADKEY
2021-06-20 15:38:30.410 DEBUG [kea-dhcp-ddns.d2-to-dns/145650.139735403791552]
DHCP_DDNS_UPDATE_RESPONSE_RECEIVED Request ID
000101118674DADBE035007DB3F4C79EFFC9D49D79C0DB0BEADC2FECC8CEC42B7612E6: to
server: 10.1.2.223 port:53 status: INVALID_RESPONSE
2021-06-20 15:38:30.410 ERROR [kea-dhcp-ddns.d2-to-dns/145650.139735403791552]
DHCP_DDNS_FORWARD_ADD_RESP_CORRUPT DHCP_DDNS Request ID
000101118674DADBE035007DB3F4C79EFFC9D49D79C0DB0BEADC2FECC8CEC42B7612E6:
received a corrupt response from the DNS server, 10.1.2.223 port:53, while
adding forward address mapping for FQDN, dhcp-test.xxx-xxx.de.
2021-06-20 15:38:30.410 DEBUG [kea-dhcp-ddns.d2-to-dns/145650.139735403791552]
DHCP_DDNS_UPDATE_REQUEST_SENT Request ID
000101118674DADBE035007DB3F4C79EFFC9D49D79C0DB0BEADC2FECC8CEC42B7612E6: Forward
Add to server: 10.1.2.223 port:53
2021-06-20 15:38:30.411 DEBUG [kea-dhcp-ddns.asiodns/145650.139735403791552]
ASIODNS_FETCH_COMPLETED upstream fetch to 10.1.2.223(53) has now completed
2021-06-20 15:38:30.411 DEBUG [kea-dhcp-ddns.d2-to-dns/145650.139735403791552]
DHCP_DDNS_INVALID_RESPONSE received response to DNS Update message is
malformed: TSIG verification failed: BADKEY
2021-06-20 15:38:30.411 DEBUG [kea-dhcp-ddns.d2-to-dns/145650.139735403791552]
DHCP_DDNS_UPDATE_RESPONSE_RECEIVED Request ID
000101118674DADBE035007DB3F4C79EFFC9D49D79C0DB0BEADC2FECC8CEC42B7612E6: to
server: 10.1.2.223 port:53 status: INVALID_RESPONSE
2021-06-20 15:38:30.411 ERROR [kea-dhcp-ddns.d2-to-dns/145650.139735403791552]
DHCP_DDNS_FORWARD_ADD_RESP_CORRUPT DHCP_DDNS Request ID
000101118674DADBE035007DB3F4C79EFFC9D49D79C0DB0BEADC2FECC8CEC42B7612E6:
received a corrupt response from the DNS server, 10.1.2.223 port:53, while
adding forward address mapping for FQDN, dhcp-test.xxx-xxx.de.
2021-06-20 15:38:30.411 DEBUG [kea-dhcp-ddns.d2-to-dns/145650.139735403791552]
DHCP_DDNS_UPDATE_REQUEST_SENT Request ID
000101118674DADBE035007DB3F4C79EFFC9D49D79C0DB0BEADC2FECC8CEC42B7612E6: Forward
Add to server: 10.1.2.223 port:53
2021-06-20 15:38:30.411 DEBUG [kea-dhcp-ddns.asiodns/145650.139735403791552]
ASIODNS_FETCH_COMPLETED upstream fetch to 10.1.2.223(53) has now completed
2021-06-20 15:38:30.411 DEBUG [kea-dhcp-ddns.d2-to-dns/145650.139735403791552]
DHCP_DDNS_INVALID_RESPONSE received response to DNS Update message is
malformed: TSIG verification failed: BADKEY
2021-06-20 15:38:30.411 DEBUG [kea-dhcp-ddns.d2-to-dns/145650.139735403791552]
DHCP_DDNS_UPDATE_RESPONSE_RECEIVED Request ID
000101118674DADBE035007DB3F4C79EFFC9D49D79C0DB0BEADC2FECC8CEC42B7612E6: to
server: 10.1.2.223 port:53 status: INVALID_RESPONSE
2021-06-20 15:38:30.411 ERROR [kea-dhcp-ddns.d2-to-dns/145650.139735403791552]
DHCP_DDNS_FORWARD_ADD_RESP_CORRUPT DHCP_DDNS Request ID
000101118674DADBE035007DB3F4C79EFFC9D49D79C0DB0BEADC2FECC8CEC42B7612E6:
received a corrupt response from the DNS server, 10.1.2.223 port:53, while
adding forward address mapping for FQDN, dhcp-test.xxx-xxx.de.
2021-06-20 15:38:30.411 ERROR [kea-dhcp-ddns.d2-to-dns/145650.139735403791552]
DHCP_DDNS_ADD_FAILED DHCP_DDNS Request ID
000101118674DADBE035007DB3F4C79EFFC9D49D79C0DB0BEADC2FECC8CEC42B7612E6:
Transaction outcome Status: Failed, Event: NO_MORE_SERVERS_EVT, Forward
change: failed, request: Type: 0 (CHG_ADD)
Forward Change: yes
Reverse Change: no
FQDN: [dhcp-test.xxx-xxx.de.]
IP Address: [10.1.20.50]
DHCID: [000101118674DADBE035007DB3F4C79EFFC9D49D79C0DB0BEADC2FECC8CEC42B7612E6]
Lease Expires On: 20210620150043
Lease Length: 1333
Conflict Resolution: yes
--- end ---
Without TSIG config, everything works just fine. Any idea what I’m doing wrong?
Thanks in advance and best regards
Daniel
_______________________________________________
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
