nsupdate fails with tsig error.

Dan Farrell dan at spore.ath.cx
Sat Dec 1 02:15:24 UTC 2007


I am no expert -- far from -- but I thought maybe this exerpt from my
own -- working -- DDNS configuration might bring you one step closer to
achieving your goals.  

Last things first.  


> I really wouldn't have thought it mattered at all where the
> nsupdate came from.

Do you have 'allow-update' declarations in named.conf?  Read on.  

 Are you using a secret key for DNS, and the _same_ key for DHCP?
AFAIK DDNS only works with a key.  
=======================================
key "rndc-key" {
        algorithm hmac-md5;
        secret "xxxxxxxxxxxxxxxxxxxxxxxx";
	# clearly those 'x's are replacing real secret, but the length
	# is right.
};
ddns-update-style interim;
use-host-decl-names on;
allow client-updates;

and don't forget zone declarations for your subnets in dhcpd.conf:

zone spore.ath.cx. {
        primary 192.168.1.87;
        key rndc-key;
}
zone 1.168.192.in-addr.arpa. {
        primary 192.168.1.87;
        key rndc-key;
}

subnet 192.168.1.0 netmask 255.255.255.0 {
        range 192.168.1.101 192.168.1.199;
        option domain-name-servers 192.168.1.87, 192.168.1.1;
        option domain-name "spore.ath.cx";
        ddns-domainname "spore.ath.cx";
        option routers 192.168.1.1;
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.1.255;
        one-lease-per-client on;
        update-static-leases on;
}
===========================================

_and_ sections to /etc/bind/named.conf that looks like this:


--------------------------------------------
include "/etc/bind/rndc.key";

controls {
        inet 127.0.0.1 port 953
       allow { 192.168.1.87; 127.0.0.1; 192.168.1.1; 192.168.40.1;}
keys { rndc-key; }; };


zone "spore.ath.cx" {
        type master;
        file "personal/spore.fw";
        forwarders { };
        allow-update { key "rndc-key"; };
};
-------------------------------------------

and I suppose you want to know what /var/bind/rndc.key looks like:
-------------------------------------------
key "rndc-key" {
        algorithm hmac-md5;
        secret "xxxxxxxxXXXXXXXXxxxxxxxx";
};
-------------------------------------------

Clearly, both secrets must be the same.  



More information about the dhcp-users mailing list