Unable to add forward map: bad DNS key
Glenn Satchell
Glenn.Satchell at uniq.com.au
Mon Jun 2 15:57:01 UTC 2008
Read the dhcpd.conf man page, and search down for the section
"DYNAMIC DNS UPDATE SECURITY". There are examples of named.conf and
dhcpd.conf.
You have it mostly right, and the error message is on the money: your
secret statements are malformed - they do not require quotes around the
secret or the key name!
eg, named.conf:
key DHCP_UPDATER {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret pRP5FapFoJ95JEL06sv4PQ==;
};
zone "example.org" {
type master;
file "example.org.db";
allow-update { key DHCP_UPDATER; };
};
eg, dhcpd.conf:
key DHCP_UPDATER {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret pRP5FapFoJ95JEL06sv4PQ==;
};
zone EXAMPLE.ORG. {
primary 127.0.0.1;
key DHCP_UPDATER;
}
hth.
regards,
-glenn
>Date: Mon, 2 Jun 2008 09:27:47 +0200 (CEST)
>Subject: Unable to add forward map: bad DNS key
>From: "Calle Pettersson" <carlpett at kth.se>
>
>Hello!
>I am unable to get ddns to work, despite reading just about every guide
>and article availible... My setup is like this: srv1 is gateway, and
>"external" services such as apache etc., srv2 is dhcp and dns.
>When I connect a client, client01 for example, and run dhcpcd, I get this
>in /var/log/messages on srv2:
>
>Jun 2 08:53:31 srv2 dhcpd: Unable to add forward map from
>client01.mydomain.local. to 192.168.0.100: bad DNS key
>Jun 2 08:53:31 srv2 dhcpd: DHCPREQUEST for 192.168.0.100 from
>00:50:8b:8b:78:70 via eth0
>Jun 2 08:53:31 srv2 dhcpd: DHCPACK on 192.168.0.100 to 00:50:8b:8b:78:70
>via eth0
>
>The "bad DNS key" error appears even if I shut down named. Also, named
>does not log anything, neither in /var/log/messages or /var/log/named/*,
>where I've setup logging, even if I set info-level trace.
>
>Below are my named.conf and dhcpd.conf. If you need any additional
>information, just ask.
>Since I've read so many different guides, there is a good chance my
>configs have a bit too many settings, or even conflicting ones. There
>doesn't seem to be just one way to do this...
>
>Best regards
>Calle Pettersson
>
>named.conf:
>key srv2.mydomain.local. {
> algorithm hmac-md5;
> secret "mysecret";
>};
>key rndc-key {
> algorithm hmac-md5;
> secret "othersecret";
>};
>acl "mydomain" {
> 192.168.0.0/24;
> 127.0.0.1;
>};
>
>controls {
> inet 127.0.0.1 port 953
> allow { 127.0.0.1; 192.168.0.2; } keys { "rndc-key"; };
>};
>
>
>options {
> directory "/var/bind/";
> pid-file "/var/run/named/named.pid";
> forwarders {
> 192.168.0.1;
> };
> listen-on {
> 127.0.0.1;
> 192.168.0.2;
> };
> allow-query { "mydomain"; };
>};
>
>zone "." {
> type hint;
> file "named.ca";
>};
>
>zone "mydomain.local" IN {
> type master;
> file "pri/mydomain.local";
> allow-update { key "srv2.mydomain.local."; };
>};
>zone "0.168.192.in-addr.arpa" IN {
> type master;
> file "pri/192.168.0.rev";
> allow-update { key "srv2.mydomain.local."; };
>};
>
>zone "localhost" IN {
> type master;
> file "pri/localhost";
> allow-update { none; };
>};
>zone "0.0.127.in-addr.arpa" IN {
> type master;
> file "pri/localhost.rev";
> allow-update { none; };
>};
>
>dhcpd.conf:
>server-identifier 192.168.0.2;
>option domain-name-servers 192.168.0.2;
>
>ddns-hostname=pick(option fqdn.hostname, option host-name);
>ddns-domainname "mydomain.local.";
>ddns-rev-domainname "in-addr.arpa.";
>ddns-ttl 3600;
>ddns-updates on;
>ddns-update-style interim;
>#allow client-updates;
>authoritative;
>update-static-leases on;
>
>key srv2.mydomain.local. {
> algorithm hmac-md5;
> secret "mysecret";
>}
>key rndc-key {
> algorithm hmac-md5;
> secret "othersecret";
>}
>
>zone 0.168.192.in-addr.arpa. {
> primary 192.168.0.1;
> key srv2.mydomain.local.;
>}
>zone mydomain.local. {
> primary 192.168.0.1;
> key srv2.mydomain.local.;
>}
>
>default-lease-time 86400;
>max-lease-time 86400;
>
>subnet 192.168.0.0 netmask 255.255.255.0 {
> option domain-name "mydomain.local";
> option routers 192.168.0.1;
> range 192.168.0.10 192.168.0.100;
>
> group { # Servers
> host srv1 {
> hardware ethernet 00:50:8B:8B:78:70;
> fixed-address 192.168.0.1;
> }
> host srv2 {
> hardware ethernet 00:08:C7:09:AC:F0;
> fixed-address 192.168.0.2;
> }
> }
>}
>
>
More information about the dhcp-users
mailing list