[Kea-users] Failed to secure DDNS updates with TSIG between Kea and Bind

Daniel Herrmann daniel.herrmann1 at gmail.com
Sun Jun 20 22:12:25 UTC 2021

Hi Francis,

Thanks so much. The hint to check on the wire was helpful. As a network engineer I could have figured this out myself… sometimes it needs an extra pointer... :)

Anyway, turns out Kea is picking the key correctly, but Bind was not finding the key and thus was unable to verify. After some digging I found the problem: I’m using Ansible (specifically: this role https://github.com/bertvv/ansible-role-bind) to deploy bind and set the key like this:

  - name: "{{ bind_kea_tsig_keyname }}"
    algorithm: "{{ bind_kea_tsig_algorithm }}"
    secret: "{{ bind_kea_tsig_secret }}”

Which wrote the key to /etc/named/auth_transfer.conf as defined by the Ansible module. I saw the key there and thought all was good. I missed though that I have to tell the Ansible Module to add an import statement to named.conf, I was somehow assuming its doing this automatically.

Adding the following host vars for the DNS server add the correct import statement.

   - "{{ bind_auth_file }}”

That said, its a typical “don’t assume, RTFM! case”, as its actually documented in the Ansible module Readme. Thanks for your support!


> On 20. Jun 2021, at 18:18, Francis Dupont <fdupont at isc.org> wrote:
> BADKEY in general is related to a configuration error. I recommend to
> look at messages on the wire to understand if the error is on the
> bind/server side or Kea side.
> In the case the error is on the Kea side the BADKEY error when verifying
> a signed response is a key name mismatch i.e. the configured key name is
> not the same as the TSIG RR name (another point easy to check with the
> message dump).
> Note that key names are DNS names so you can use a FQDN e.g. a name in
> the server domain name (common practice) and of course they are case
> insensitive.
> If the problem is on the bind 9 side perhaps it was reported in its logs?
> Thanks
> Francis Dupont <fdupont at isc.org>
> PS: a secret mismatch gives BADSIG so IMHO this is around the key itself
> (name, algorithm, ...).
> PPS: looking the bind9 code for BADKEY you have:
> - key name mismatch
> - algorithm name mismatch (both logger as
>   "key name and algorithm do not match")
> - unknown key (logged as "unknown key")
> logs are at category dnssec module tsig level 2.

More information about the Kea-users mailing list