Unable to add forward map: bad DNS key

Thu Jun 5 19:14:25 UTC 2008

The error comes when dhcpd tries to formulate a signed dns update  
message. It can't parse the key. So named never gets a packet because  
dhcpd can't send one.

The problem is in these statements:

key srv2.mydomain.local. {
        algorithm hmac-md5;
        secret "mysecret";
}
key rndc-key {
        algorithm hmac-md5;
        secret "othersecret";
}

If those are truly your key statements, then you have a problem right  
there - those are not valid secrets. If you've replaced your secrets,  
then you must test these secrets in some fashion yourself - we (the  
list) can't test what you don't tell us.

I've not gone over your configs exhaustively. There may be other  
problems.

By the way, there doesn't appear to be any reason why dhcpd needs to  
know the definition of your rndc key. It's not used, that I can see,  
by the rest of dhcpd.conf.

Chris Buxton
Professional Services
Men & Mice

On Jun 2, 2008, at 1:12 AM, Calle Pettersson wrote:

> Hello!
> I am unable to get ddns to work, despite reading just about every
> guide
> and article availible... My setup is like this: srv1 is gateway, and
> "external" services such as apache etc., srv2 is dhcp and dns.
> When I connect a client, client01 for example, and run dhcpcd, I get
> this
> in /var/log/messages on srv2:
>
> Jun  2 08:53:31 srv2 dhcpd: Unable to add forward map from
> client01.mydomain.local. to 192.168.0.100: bad DNS key
> Jun  2 08:53:31 srv2 dhcpd: DHCPREQUEST for 192.168.0.100 from
> 00:50:8b:8b:78:70 via eth0
> Jun  2 08:53:31 srv2 dhcpd: DHCPACK on 192.168.0.100 to 00:50:8b:8b:
> 78:70
> via eth0
>
> The "bad DNS key" error appears even if I shut down named. Also, named
> does not log anything, neither in /var/log/messages or /var/log/named/
> *,
> where I've setup logging, even if I set info-level trace.
>
> Below are my named.conf and dhcpd.conf. If you need any additional
> information, just ask.
> Since I've read so many different guides, there is a good chance my
> configs have a bit too many settings, or even conflicting ones. There
> doesn't seem to be just one way to do this...
>
> Best regards
> Calle Pettersson
>
> named.conf:
> key srv2.mydomain.local. {
>        algorithm hmac-md5;
>        secret "mysecret";
> };
> key rndc-key {
>       algorithm hmac-md5;
>       secret "othersecret";
> };
> acl "mydomain" {
>        192.168.0.0/24;
>        127.0.0.1;
> };
>
> controls {
>       inet 127.0.0.1 port 953
>              allow { 127.0.0.1; 192.168.0.2; } keys { "rndc-key"; };
> };
>
>
> options {
>        directory "/var/bind/";
>        pid-file "/var/run/named/named.pid";
>        forwarders {
>                192.168.0.1;
>        };
>        listen-on {
>                127.0.0.1;
>                192.168.0.2;
>        };
>        allow-query { "mydomain"; };
> };
>
> zone "." {
>        type hint;
>        file "named.ca";
> };
>
> zone "mydomain.local" IN {
>        type master;
>        file "pri/mydomain.local";
>        allow-update { key "srv2.mydomain.local."; };
> };
> zone "0.168.192.in-addr.arpa" IN {
>        type master;
>        file "pri/192.168.0.rev";
>        allow-update { key "srv2.mydomain.local."; };
> };
>
> zone "localhost" IN {
>        type master;
>        file "pri/localhost";
>        allow-update { none; };
> };
> zone "0.0.127.in-addr.arpa" IN {
>        type master;
>        file "pri/localhost.rev";
>        allow-update { none; };
> };
>
> dhcpd.conf:
> server-identifier 192.168.0.2;
> option domain-name-servers 192.168.0.2;
>
> ddns-hostname=pick(option fqdn.hostname, option host-name);
> ddns-domainname "mydomain.local.";
> ddns-rev-domainname "in-addr.arpa.";
> ddns-ttl 3600;
> ddns-updates on;
> ddns-update-style interim;
> #allow client-updates;
> authoritative;
> update-static-leases on;
>
> key srv2.mydomain.local. {
>        algorithm hmac-md5;
>        secret "mysecret";
> }
> key rndc-key {
>        algorithm hmac-md5;
>        secret "othersecret";
> }
>
> zone 0.168.192.in-addr.arpa. {
>        primary 192.168.0.1;
>        key srv2.mydomain.local.;
> }
> zone mydomain.local. {
>        primary 192.168.0.1;
>        key srv2.mydomain.local.;
> }
>
> default-lease-time 86400;
> max-lease-time 86400;
>
> subnet 192.168.0.0 netmask 255.255.255.0 {
>        option domain-name "mydomain.local";
>        option routers 192.168.0.1;
>        range 192.168.0.10 192.168.0.100;
>
>        group { # Servers
>                host srv1 {
>                        hardware ethernet 00:50:8B:8B:78:70;
>                        fixed-address 192.168.0.1;
>                }
>                host srv2 {
>                        hardware ethernet 00:08:C7:09:AC:F0;
>                        fixed-address 192.168.0.2;
>                }
>        }
> }
>