[Kea-users] request has invalid signature: TSIG rndc-key: tsig verify failure (BADKEY)
Carsten Strotmann
carsten at strotmann.de
Sat Aug 9 07:04:02 UTC 2025
Hi Charles,
On 9 Aug 2025, at 0:22, Charles Curley wrote:
> Bind9 has the following in rndc-key:
>
> key "rndc-key" {
> algorithm hmac-sha256;
> secret "647CTfwwE280ZZNAVJtQrLqt8VfGJkX61J/Ws/TNUc4=";
> };
>
>
> kea-dhcp-ddns.conf includes the following:
>
> "tsig-keys": [
> {
> "name": "example",
> "algorithm": "hmac-sha256",
> "secret": "647CTfwwE280ZZNAVJtQrLqt8VfGJkX61J/Ws/TNUc4="
> }
> ],
>
> I tried naming the key "rndc-key" but that also failed.
the TSIG-Keys need to have the same name on both sides (same name, same algorithm, same key-data ("secret"), same clock-time on the machines).
I recommend to create a dedicated TSIG key with the "tsig-keygen" command, and having the DDNS TSIG-key separate from the "rndc" TSIG key.
If you post the full "kea-dhcp-ddns.conf" (and BIND 9 "named.conf") content, people here on the list might be able to spot the issue.
Greetings
Carsten
More information about the Kea-users
mailing list