dynamic dns update - request has invalid signature - TSIG

[Anthony Ercolano]

On gentoo systems. Using latest stable builds of bind and dhcp server.
Internet Systems Consortium DHCP Server V3.1.0-Gentoo
BIND 9.4.1-P1

Kernel is 2.6.23.8

dns server is protected by a firewall. Authoritive for several zones.  
Can handle name lookup requests just dandy and has for years.

dhcp server not protected by firewall, part of local non-routing  
address space: 10.0.0.x
dhcp server has been working for months leasing out addresses.

Trying to add dynamic dns updates from the dhcp server to the dns  
server. USING TSIG for security.

Both the "public" dns server and the dhcp server get their times from  
the same ntp server and do appear to be in "sync".

If the dhcp server attempts to add the newly handed out ip address  
(and name) to the dns server the dhcp (and the dns server) report  
failure.
On the dhcp server we get log messages of the form:

Unable to add forward map from dhcp-10-0-0-184.bogus-for- 
example.domain to 10.0.0.184: bad DNS signature.

On the dns server we see messages of the form:

client xxx.xxx.xxx.xxx#25112: request has invalid signature: TSIG a- 
tseg-key-name: tsig verify failure (BADSIG)

Very depressing.

Now, doing this by "hand" using nsupdate on the dhcp server machine I  
get the same errors. This makes sense.

However, if on the DNS server machine I run nsupdate with the EXACT  
same commands, the update is accepted!

Note that back on the dhcp server machine if I run DIG using the same  
keyname and secret to download zone data it works just fine.
I mention this because at the very least the key processing code is  
compatable between both the dhcp and the dns servers.

If anyone has any thoughts I would love to hear them.

Thanks in advance!
Tony

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20071127/6ae0db58/attachment.html>