nsupdate fails with tsig error.

Dan Farrell dan at spore.ath.cx
Sat Dec 1 02:15:24 UTC 2007

I am no expert -- far from -- but I thought maybe this exerpt from my
own -- working -- DDNS configuration might bring you one step closer to
achieving your goals.  

Last things first.  

> I really wouldn't have thought it mattered at all where the
> nsupdate came from.

Do you have 'allow-update' declarations in named.conf?  Read on.  

 Are you using a secret key for DNS, and the _same_ key for DHCP?
AFAIK DDNS only works with a key.  
key "rndc-key" {
        algorithm hmac-md5;
        secret "xxxxxxxxxxxxxxxxxxxxxxxx";
	# clearly those 'x's are replacing real secret, but the length
	# is right.
ddns-update-style interim;
use-host-decl-names on;
allow client-updates;

and don't forget zone declarations for your subnets in dhcpd.conf:

zone spore.ath.cx. {
        key rndc-key;
zone 1.168.192.in-addr.arpa. {
        key rndc-key;

subnet netmask {
        option domain-name-servers,;
        option domain-name "spore.ath.cx";
        ddns-domainname "spore.ath.cx";
        option routers;
        option subnet-mask;
        option broadcast-address;
        one-lease-per-client on;
        update-static-leases on;

_and_ sections to /etc/bind/named.conf that looks like this:

include "/etc/bind/rndc.key";

controls {
        inet port 953
       allow {;;;;}
keys { rndc-key; }; };

zone "spore.ath.cx" {
        type master;
        file "personal/spore.fw";
        forwarders { };
        allow-update { key "rndc-key"; };

and I suppose you want to know what /var/bind/rndc.key looks like:
key "rndc-key" {
        algorithm hmac-md5;
        secret "xxxxxxxxXXXXXXXXxxxxxxxx";

Clearly, both secrets must be the same.  

More information about the dhcp-users mailing list