[Kea-users] DDNS TSIG verification failed: BADSIG

Randy McEoin rmceoin at freedom.com
Thu Feb 4 22:25:06 UTC 2016


I've run into an annoyance using Kea and PowerDNS.  When Kea is configured to perform DDNS to a PowerDNS Authoritative server, it believes it fails the updates.   In the kea-ddns.log is the following:


DHCP_DDNS_INVALID_RESPONSE received response to DNS Update message is malformed: TSIG verification failed: BADSIG


In PowerDNS's logs are a happy successful update.  But despite the successful update from PDNS's perspective, Kea will retry two more times, which results in a total of 3 updates for the same set of records.  Technically it all works, but Kea thinks it did not and there are the wasted 2 additional updates.


Doing an update with nsupdate -D to PowerDNS shows that the TSIG is valid.


I compiled the Kea source from github and tinkered enough with tsig.cc's TSIGContext::verify enough to confirm that it's the final return statement that does the return of TSIGError::BAD_SIG().  I can't tell why any earlier check doesn't return TSIGError::NOERROR().


I've tested out Kea with a BIND server and it works okay, no TSIG errors.  Also tried the original ISC DHCP with PowerDNS and can see it works just fine with no griping from it.


I've done packet captures using Kea, nsupdate, and ISC DHCP as the requester DDNS, as well as trying out BIND or PowerDNS as the destination.  So far the only thing I've noticed is that Kea sets the Original ID in the requesting packet to 0.  Both nsupdate and ISC DHCP set the Original ID equal to the Transaction ID.


At this point I can't really tell if it's an issue with how Kea handles the TSIG or PowerDNS.  Anyone have some thoughts?


Thanks,

Randy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20160204/cf753fcb/attachment.htm>


More information about the Kea-users mailing list