TSIG dynamic updates (BIND9)

Gary McAfee/Raleigh/IBM gmcafee at us.ibm.com
Tue Oct 24 12:48:00 UTC 2000


>Has anyone managed to get this to work with BIND9? I still get
>"dns_request_getresponse: tsig verify failure" errors.

We've gotten it to work. TSIG verification problems can come from a number
of things.  Among them: If your algorithm or key name on your key statement
in named.conf doesn't match the algorithm or key name from your nsupdate.
The clocks aren't reasonably synchronized between the client and server
machine. The key doesn't exist.  The secrets don't match.

The problem we were having before we got it to work was that the key name
in named.conf has to be the same as the key name on nsupdate.  It's not
enough to have a key with a matching secret.  In one of your other posts
you had:

key leetah.dyn.bogus.net. { algorithm hmac-md5; secret
"ta2Pz4v3UjRNWdII+xpnrw==";};

So your -k value on nsupdate must be -k leetah.dyn.bogus.net.
+157+33024.private

for example, assuming dnssec-keygen allows dots in the key name.

>How can I best debug this on the server side? What logging should I
>use?

I used debug trace (I used level 99, but that's probably overkill) and
security log, if I remember correctly.


Gary McAfee




More information about the bind-users mailing list