[Kea-users] Failed to secure DDNS updates with TSIG between Kea and Bind

Francis Dupont fdupont at isc.org
Sun Jun 20 16:18:46 UTC 2021

BADKEY in general is related to a configuration error. I recommend to
look at messages on the wire to understand if the error is on the
bind/server side or Kea side.

In the case the error is on the Kea side the BADKEY error when verifying
a signed response is a key name mismatch i.e. the configured key name is
not the same as the TSIG RR name (another point easy to check with the
message dump).

Note that key names are DNS names so you can use a FQDN e.g. a name in
the server domain name (common practice) and of course they are case

If the problem is on the bind 9 side perhaps it was reported in its logs?


Francis Dupont <fdupont at isc.org>

PS: a secret mismatch gives BADSIG so IMHO this is around the key itself
(name, algorithm, ...).
PPS: looking the bind9 code for BADKEY you have:
 - key name mismatch
 - algorithm name mismatch (both logger as
   "key name and algorithm do not match")
 - unknown key (logged as "unknown key")
logs are at category dnssec module tsig level 2.

More information about the Kea-users mailing list