FAQ question regarding TSIG (bind9)

Kevin Darcy kcd at daimlerchrysler.com
Fri Oct 13 00:37:23 UTC 2000


1. How did you generate the key? Did you use

dnskeygen -H 128 -h -n leetah.dyn.bogus.net.

or something else? (At least, that works for BIND 8; I assume it hasn't changed for
BIND 9).

2. Have you tried the "-k" option with nsupdate instead of "-y" (specifying the key
file)? Does that work? Note that the "-y" option is discouraged because it exposes the
key on the command line.


- Kevin

Tor Houghton wrote:

> Tor Houghton <torh at bearclaw.bogus.net> wrote:
> > [snip]
>
> Ok, I know it is wrong to reply to your own postings, but since I
> wrote the last message, I've come a little further (trial and error
> and the 1000 monkey technique).
>
> Now, however, I am having serious trouble doing the dynamic updates
> from the client.
>
> I have generated a HMAC-MD5 key which looks like this:
>
> named.conf:
>
> // dynamic update keys
> key leetah.dyn.bogus.net. { algorithm hmac-md5; secret "ta2Pz4v3UjRNWdII+xpnrw==";};
>
> zone "leetah.dyn.bogus.net" {
>         type master;
>         file "dyn/leetah";
>         notify no;
>         allow-update { key leetah.dyn.bogus.net. ; };
> };
>
> However, when I try to do an update from the client;
>
> [root at moonshade /root]# nsupdate -y leetah.dyn.bogus.net.:ta2Pz4v3UjRNWdII+xpnrw==
> > server redlance.bogus.net.
> > update delete leetah.dyn.bogus.net.
> >
> dns_request_getresponse: tsig verify failure
> [root at moonshade /root]#
>
> .... the update failes miserably.
>
> What am I doing wrong here?
>
> Best regards,
>
> Tor
>
> (BTW; the keys have been changed to protect the innocent)






More information about the bind-users mailing list