[DESPERATE] getting bind 9.1.0 to do dynamic dns update

Ian C. Sison ian.s at qsr.com.ph
Fri Feb 23 02:36:44 UTC 2001 


Hi  I've got a seemingly unsolvable problem (at least on my end)


I've got two servers, one the main dns with a public static IP, and the
second on a dynamic IP.  My intention is for the second to update the DNS
A record on the main dns.

Simple right?  Should be easy because there's actually an FAQ entry in
ISC's site.

Not.

First of all, the FAQ entry was for bind 8.x; the dnskeygen command
doesn't work out anymore, as it's changed to dnssec-keygen in bind 9 with
a whole new parameter set.

Anyhow, i tried this command:

==============================================================
# dnssec-keygen -a HMAC-MD5  -b 128 -n HOST ns1-drillbit.
==============================================================


on the main dns server.  This command outputted 2 files (as expected).  So
i get the private key from inside one of the files (the keys are identical
in both files BTW)  and stick it in the main dns server's named.conf

==============================================================
key ns1-drillbit. {
    algorithm hmac-md5;
    secret "wncrUU8MdUxHGpg8eKKq4w==";
};
==============================================================

and use it in my domain:

==============================================================
zone "test.domain.ph." {
    type master;
    file "db.test.domain.ph";
        allow-update   { key ns1-drillbit. ; };
        notify yes;
};
==============================================================


I then copy these two files into the client system and issue the
ff: command on the client system;

==============================================================
# nsupdate -d -k Kns1-drillbit.+157+46334.private update
==============================================================


the file "update" contains this:
==============================================================
server 192.168.1.5
zone test.domain.ph.
update add host1.test.domain.ph 86400  A 192.168.1.5
==============================================================


i then get this error:

==============================================================
keycreate
dns_request_getresponse: tsig indicates error
==============================================================

Looking at /var/log/messages on the main DNS server:

==============================================================
Feb 22 20:24:39 ns1 named[20334]: client 192.168.1.169#1024: request has
invalid signature: tsig verify failure
==============================================================


Now the question is - why?  I've followed everything the FAQ said, only
modifying it for dnssec-keygen, and it won't work.  I've tried removing
the 'key' item in 'allow-update' and just placing an IP address, and the
update proceeded correctly.  So i'm thinking its definitely the keys that
are the problem.

Please i need your help, any inputs would be very very appreciated!

BTW, i'm running the bind 9.1.0 on two Linux-Mandrake boxes.

More information about the bind-users mailing list