<!DOCTYPE html>
<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p data-sourcepos="3:1-3:21" dir="auto">I'm running v9.16.42.</p>
    <p data-sourcepos="5:1-5:35" dir="auto">I have defined a key in
      named.conf:</p>
    <div class="gl-relative markdown-code-block js-markdown-code">
      <pre data-sourcepos="6:1-11:3"
class="code highlight js-syntax-highlight language-plaintext white"
      id="code-52" lang="plaintext"><code><span id="LC1" class="line"
      lang="plaintext">key "acme-dns01" {</span>
<span id="LC2" class="line" lang="plaintext">        algorithm hmac-sha256;</span>
<span id="LC3" class="line" lang="plaintext">        secret "+m8fujTWD3qb0LkJFP7HPCZAbLlWBMtwtbNPEkvAt7E=";</span>
<span id="LC4" class="line" lang="plaintext">};</span></code></pre>
    </div>
    <p data-sourcepos="13:1-13:16" dir="auto">This has worked:</p>
    <div class="gl-relative markdown-code-block js-markdown-code">
      <pre data-sourcepos="14:1-22:3"
class="code highlight js-syntax-highlight language-plaintext white"
      id="code-53" lang="plaintext"><code><span id="LC1" class="line"
      lang="plaintext">$ rndc tsig-list</span>
<span id="LC2" class="line" lang="plaintext">view "Default"; type "static"; key "acme-dns01";</span>
<span id="LC3" class="line" lang="plaintext">view "Default"; type "static"; key "local-ddns";</span>
<span id="LC4" class="line" lang="plaintext">view "Default"; type "static"; key "rndc-key";</span>
<span id="LC5" class="line" lang="plaintext">view "_bind"; type "static"; key "acme-dns01";</span>
<span id="LC6" class="line" lang="plaintext">view "_bind"; type "static"; key "local-ddns";</span>
<span id="LC7" class="line" lang="plaintext">view "_bind"; type "static"; key "rndc-key";</span></code></pre>
    </div>
    <p data-sourcepos="24:1-24:64" dir="auto">I'm using the key in a <code>grant</code>
      (but this doesn't really matter):</p>
    <div class="gl-relative markdown-code-block js-markdown-code">
      <pre data-sourcepos="25:1-27:3"
class="code highlight js-syntax-highlight language-plaintext white"
      id="code-54" lang="plaintext"><code><span id="LC1" class="line"
      lang="plaintext">update-policy { grant acme-dns01 zonesub txt; };</span></code></pre>
    </div>
    <p data-sourcepos="29:1-29:84" dir="auto">When I try to make use of
      the "key:secret" using <code>nsupdate</code>, it is sent as
      expected:</p>
    <div class="gl-relative markdown-code-block js-markdown-code">
      <pre data-sourcepos="30:1-33:3"
class="code highlight js-syntax-highlight language-plaintext white"
      id="code-55" lang="plaintext"><code><span id="LC1" class="line"
      lang="plaintext">;; TSIG PSEUDOSECTION:</span>
<span id="LC2" class="line" lang="plaintext">acme-dns01.            0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1705509748 300 16 tcU/8lYs1VEPZfcM5C3hZw== 13850 NOERROR 0 </span></code></pre>
    </div>
    <p data-sourcepos="34:1-34:139" dir="auto">But I get a <code>BADKEY</code>
      in the response, which means that the key is <a
href="https://bind9.readthedocs.io/en/v9.16.42/advanced.html#errors"
        rel="nofollow noreferrer noopener" target="_blank">unknown</a>.</p>
    <p data-sourcepos="36:1-36:46" dir="auto">This information can also
      be found in the log:</p>
    <div class="gl-relative markdown-code-block js-markdown-code">
      <pre data-sourcepos="37:1-39:3"
class="code highlight js-syntax-highlight language-plaintext white"
      id="code-56" lang="plaintext"><code><span id="LC1" class="line"
      lang="plaintext">| Jan 17 17:46:10  | named  | 23910  | dnssec: debug 2: tsig key 'acme-dns01': unknown key</span></code></pre>
    </div>
    <p data-sourcepos="41:1-41:284" dir="auto">I couldn't find any
      additional required action to make the key known <a
href="https://bind9.readthedocs.io/en/v9.16.42/reference.html#key-statement-definition-and-usage"
        rel="nofollow noreferrer noopener" target="_blank">in the manual</a>.
      It is defined globally and should be available in all views (and
      the output from tsig-list confirms this).</p>
    <p data-sourcepos="43:1-43:141" dir="auto">As this has been rejected
      as an error within minutes
      (<a class="moz-txt-link-freetext" href="https://gitlab.isc.org/isc-projects/bind9/-/issues/4539">https://gitlab.isc.org/isc-projects/bind9/-/issues/4539</a>) it must
      be a user error. However, I have gone through the manual and a
      dozen of posting about how to set this up and couldn't find a
      single information about what's wrong. Could somebody please
      provide a hint? Thank you!<br>
    </p>
    <p data-sourcepos="43:1-43:141" dir="auto"> - Michael<br>
    </p>
    <p data-sourcepos="43:1-43:141" dir="auto"><br>
    </p>
    <p></p>
  </body>
</html>