[Kea-users] DDNS TSIG verification failed: BADSIG

Thomas Markwalder tmark at isc.org
Fri Feb 5 11:46:31 UTC 2016


On 2/4/16 5:25 PM, Randy McEoin wrote:
>
> I've run into an annoyance using Kea and PowerDNS.  When Kea is
> configured to perform DDNS to a PowerDNS Authoritative server, it
> believes it fails the updates.   In the kea-ddns.log is the following:
>
>
> DHCP_DDNS_INVALID_RESPONSE received response to DNS Update message is
> malformed: TSIG verification failed: BADSIG
>
>
> In PowerDNS's logs are a happy successful update.  But despite the
> successful update from PDNS's perspective, Kea will retry two more
> times, which results in a total of 3 updates for the same set of
> records.  Technically it all works, but Kea thinks it did not and
> there are the wasted 2 additional updates.
>
>
> Doing an update with nsupdate -D to PowerDNS shows that the TSIG is valid.
>
>
> I compiled the Kea source from github and tinkered enough with
> tsig.cc's TSIGContext::verify enough to confirm that it's the final
> return statement that does the return of TSIGError::BAD_SIG().  I
> can't tell why any earlier check doesn't return TSIGError::NOERROR().
>
>
> I've tested out Kea with a BIND server and it works okay, no
> TSIG errors.  Also tried the original ISC DHCP with PowerDNS and can
> see it works just fine with no griping from it.
>
>
> I've done packet captures using Kea, nsupdate, and ISC DHCP as the
> requester DDNS, as well as trying out BIND or PowerDNS as the
> destination.  So far the only thing I've noticed is that Kea sets the
> Original ID in the requesting packet to 0.  Both nsupdate and ISC DHCP
> set the Original ID equal to the Transaction ID.
>
>
> At this point I can't really tell if it's an issue with how Kea
> handles the TSIG or PowerDNS.  Anyone have some thoughts?
>
>
> Thanks,
>
> Randy
>
>
>
> _______________________________________________
> Kea-users mailing list
> Kea-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/kea-users
Hello Randy:

Thanks for reporting this and for providing the packet captures. We'll
look into it.

Thomas Markwalder
ISC Software Engineering
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20160205/26f394fc/attachment.htm>


More information about the Kea-users mailing list