Bug#831594: nsupdate: key invalid after update to 1:9.9.5.dfsg-9+deb8u6: TSIG error with server

[frank]

Package: dnsutils
Version: 1:9.9.5.dfsg-9+deb8u6
Severity: normal

Dear Maintainer,


I have a dynamic dns setup as described here:

http://linux.yyz.us/dns/ddns-server.html

One client stopped working. As the DNS update only occurs if the IP
addresses are changing, it is not fully clear to what exactly caused
this. I tried to analyze the problem:

Client A running dnsutils 1:9.9.5.dfsg-9+deb8u6 cannot update bind9.
Client B running dnsutils 1:9.9.5.dfsg-9+deb8u5 can update bind9.

The bind9 server has the following versions installed:

bind9 1:9.9.5.dfsg-4~bpo70+1 
dnsutils 1:9.8.4.dfsg.P1-6+nmu2+deb7u10

The update script looks as follows:

#!/bin/sh

# ...

/usr/bin/nsupdate -k $KEY -v << EOF
server $NS
zone $ZONE
update delete $DOMAIN A
update add $DOMAIN 30 A $IPV4
send
EOF

The key was created with:

$ dnssec-keygen -a HMAC-SHA512 -b 512 -n USER host

and look like:


Private-key-format: v1.3
Algorithm: 165 (HMAC_SHA512)
Key: k...==
Created: 20160708155217
Publish: 20160708155217
Activate: 20160708155217


If I transfer copy script and key to client B it works ok.
On client A the script fails with:


; TSIG error with server: expected a TSIG or SIG(0)
update failed: NOTAUTH

I tried to look into the bind9 git

git://git.debian.org/~lamont/bind9.git,

but was not able to find the corresponding git hashes

Is this expected behaviour? Howto resolve the situation? 

kind regards
  Frank



*** End of the template - remove these template lines ***


-- System Information:
Debian Release: 8.4
  APT prefers stable
  APT policy: (990, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages dnsutils depends on:
ii  bind9-host [host]  1:9.9.5.dfsg-9+deb8u6
ii  libbind9-90        1:9.9.5.dfsg-9+deb8u6
ii  libc6              2.19-18+deb8u4
ii  libcap2            1:2.24-8
ii  libcomerr2         1.42.12-1.1
ii  libdns100          1:9.9.5.dfsg-9+deb8u6
ii  libgssapi-krb5-2   1.12.1+dfsg-19+deb8u2
ii  libisc95           1:9.9.5.dfsg-9+deb8u6
ii  libisccfg90        1:9.9.5.dfsg-9+deb8u6
ii  libk5crypto3       1.12.1+dfsg-19+deb8u2
ii  libkrb5-3          1.12.1+dfsg-19+deb8u2
ii  liblwres90         1:9.9.5.dfsg-9+deb8u6
ii  libssl1.0.0        1.0.1k-3+deb8u4
ii  libxml2            2.9.1+dfsg1-5+deb8u1

dnsutils recommends no packages.

Versions of packages dnsutils suggests:
pn  rblcheck  <none>

-- no debconf information