[Kea-users] request has invalid signature: TSIG rndc-key: tsig verify failure (BADKEY)

Charles Curley charlescurley at charlescurley.com
Fri Aug 8 22:22:28 UTC 2025 

I run a SOHO network composed mostly of Debian Linux boxen plus a few
others. I have been running ISC dhcpd and bind9. I have some experience
with bind, but am a complete kea newbie.

As Debian is about to release a new version, code-named trixie, I
thought this would be a good time to move to kea. So I set up a two
computer test network and installed kea 2.6.3 on both of them. I have
HA working between them.

I am now trying to get DDNS working. The bind9 server (9.20.11) is
running. I think I have DDNS working correctly, but the zone files are
never updated. I get three of the following message in named's log each
time there is a DHCP event:

client @0x7fcb3983fc00 192.168.10.1#59736: request has invalid signature: TSIG rndc-key: tsig verify failure (BADKEY)

(These log extracts are pasted in unwrapped, so they should be readable
in a large enough window.)

The systemd journal shows, e.g.:

Aug 08 13:40:28 tiassa kea-dhcp-ddns[103650]: ERROR DHCP_DDNS_FORWARD_ADD_RESP_CORRUPT DHCP_DDNS Request ID 00020193B49AA98512E0BB5B282FB1FCE7720E91177993E9EA8AE11F536574A8C9B5EB: received a corrupt response from the DNS server, 192.168.10.1 port:53, while adding forward address mapping for FQDN, jhegaalaw.example.
Aug 08 13:40:28 tiassa kea-dhcp-ddns[103650]: ERROR DHCP_DDNS_FORWARD_ADD_RESP_CORRUPT DHCP_DDNS Request ID 00020193B49AA98512E0BB5B282FB1FCE7720E91177993E9EA8AE11F536574A8C9B5EB: received a corrupt response from the DNS server, 192.168.10.1 port:53, while adding forward address mapping for FQDN, jhegaalaw.example.
Aug 08 13:40:28 tiassa kea-dhcp-ddns[103650]: ERROR DHCP_DDNS_FORWARD_ADD_RESP_CORRUPT DHCP_DDNS Request ID 00020193B49AA98512E0BB5B282FB1FCE7720E91177993E9EA8AE11F536574A8C9B5EB: received a corrupt response from the DNS server, 192.168.10.1 port:53, while adding forward address mapping for FQDN, jhegaalaw.example.
Aug 08 13:40:28 tiassa kea-dhcp-ddns[103650]: ERROR DHCP_DDNS_ADD_FAILED DHCP_DDNS Request ID 00020193B49AA98512E0BB5B282FB1FCE7720E91177993E9EA8AE11F536574A8C9B5EB: Transaction outcome Status: Failed, Event: NO_MORE_SERVERS_EVT,  Forward change: failed,  Reverse change: failed,  request: Type: 0 (CHG_ADD)
Aug 08 13:40:28 tiassa kea-dhcp-ddns[103650]: Forward Change: yes
Aug 08 13:40:28 tiassa kea-dhcp-ddns[103650]: Reverse Change: yes
Aug 08 13:40:28 tiassa kea-dhcp-ddns[103650]: FQDN: [jhegaalaw.example.]
Aug 08 13:40:28 tiassa kea-dhcp-ddns[103650]: IP Address: [192.168.10.15]
Aug 08 13:40:28 tiassa kea-dhcp-ddns[103650]: DHCID: [00020193B49AA98512E0BB5B282FB1FCE7720E91177993E9EA8AE11F536574A8C9B5EB]
Aug 08 13:40:28 tiassa kea-dhcp-ddns[103650]: Lease Expires On: 20250808200028
Aug 08 13:40:28 tiassa kea-dhcp-ddns[103650]: Lease Length: 1200
Aug 08 13:40:28 tiassa kea-dhcp-ddns[103650]: Conflict Resolution Mode: check-with-dhcid



Bind9 has the following in rndc-key:

key "rndc-key" {
	algorithm hmac-sha256;
	secret "647CTfwwE280ZZNAVJtQrLqt8VfGJkX61J/Ws/TNUc4=";
};


kea-dhcp-ddns.conf includes the following:

  "tsig-keys": [
    {
       "name": "example",
       "algorithm": "hmac-sha256",
       "secret": "647CTfwwE280ZZNAVJtQrLqt8VfGJkX61J/Ws/TNUc4="
    }
  ],

I tried naming the key "rndc-key" but that also failed.

-- 
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

More information about the Kea-users mailing list