[Kea-users] request has invalid signature: TSIG rndc-key: tsig verify failure (BADKEY)
Charles Curley
charlescurley at charlescurley.com
Sat Aug 9 21:29:37 UTC 2025
On Sat, 09 Aug 2025 09:04:02 +0200
Carsten Strotmann via Kea-users <kea-users at lists.isc.org> wrote:
> the TSIG-Keys need to have the same name on both sides (same name,
> same algorithm, same key-data ("secret"), same clock-time on the
> machines).
See below. As they are on the same machine, the clock time should be
identical.
>
> I recommend to create a dedicated TSIG key with the "tsig-keygen"
> command, and having the DDNS TSIG-key separate from the "rndc" TSIG
> key.
Done. The two now look like
"tsig-keys": [
{ "name": "tsig-key",
"algorithm": "hmac-sha256",
"secret": "Lh4eU13Kay9ZR4Wjf5r7+L5Bx11PWWlpkjyHqEUCLQE=" }
],
"forward-ddns" : {
"ddns-domains" : [
{
"name": "example.",
"key-name": "tsig-key",
"dns-servers": [
{ "ip-address": "192.168.10.1" }
]
}
]
},
(reverse-ddns similarly.)
and
key "tsig-key" {
algorithm hmac-sha256;
secret "Lh4eU13Kay9ZR4Wjf5r7+L5Bx11PWWlpkjyHqEUCLQE=";
};
The latter in named.conf.local in its own stanza.
I now get:
Aug 09 15:01:49 tiassa named[99162]: client @0x7fcb3d5a0c00 192.168.10.1#51928/key tsig-key: signer "tsig-key" denied
Aug 09 15:01:49 tiassa named[99162]: client @0x7fcb3d5a0c00 192.168.10.1#51928/key tsig-key: update 'example/IN' denied
Aug 09 15:04:46 tiassa named[99162]: client @0x7fcb38a24c00 192.168.10.1#54512/key tsig-key: signer "tsig-key" denied
Aug 09 15:04:46 tiassa named[99162]: client @0x7fcb38a24c00 192.168.10.1#54512/key tsig-key: update 'example/IN' denied
and
Aug 09 15:01:49 tiassa kea-dhcp-ddns[108953]: ERROR DHCP_DDNS_FORWARD_REMOVE_ADDRS_REJECTED DNS Request ID 00020193B49AA98512E0BB5B282FB1FCE7720E91177993E9EA8AE11F536574A8C9B5EB: Server, 192.168.10.1 port:53, rejected a DNS update request to remove the forward address mapping for FQDN, jhegaalaw.example., with an RCODE: 5
Aug 09 15:01:49 tiassa kea-dhcp-ddns[108953]: ERROR DHCP_DDNS_REMOVE_FAILED DHCP_DDNS Request ID 00020193B49AA98512E0BB5B282FB1FCE7720E91177993E9EA8AE11F536574A8C9B5EB: Transaction outcome: Status: Failed, Event: UPDATE_FAILED_EVT, Forward change: failed, Reverse change: failed, request: Type: 1 (CHG_REMOVE)
Aug 09 15:01:49 tiassa kea-dhcp-ddns[108953]: Forward Change: yes
Aug 09 15:01:49 tiassa kea-dhcp-ddns[108953]: Reverse Change: yes
Aug 09 15:01:49 tiassa kea-dhcp-ddns[108953]: FQDN: [jhegaalaw.example.]
Aug 09 15:01:49 tiassa kea-dhcp-ddns[108953]: IP Address: [192.168.10.15]
Aug 09 15:01:49 tiassa kea-dhcp-ddns[108953]: DHCID: [00020193B49AA98512E0BB5B282FB1FCE7720E91177993E9EA8AE11F536574A8C9B5EB]
Aug 09 15:01:49 tiassa kea-dhcp-ddns[108953]: Lease Expires On: 20250809210535
Aug 09 15:01:49 tiassa kea-dhcp-ddns[108953]: Lease Length: 600
Aug 09 15:01:49 tiassa kea-dhcp-ddns[108953]: Conflict Resolution Mode: check-with-dhcid
>
> If you post the full "kea-dhcp-ddns.conf" (and BIND 9 "named.conf")
> content, people here on the list might be able to spot the issue.
Both of these are originally from the Debian packages.
// This is a basic configuration for the Kea DHCP DDNS daemon.
//
// This is just a very basic configuration. Kea comes with large suite (over 30)
// of configuration examples and extensive Kea User's Guide. Please refer to
// those materials to get better understanding of what this software is able to
// do. Comments in this configuration file sometimes refer to sections for more
// details. These are section numbers in Kea User's Guide. The version matching
// your software should come with your Kea package, but it is also available
// in ISC's Knowledgebase (https://kea.readthedocs.io; the direct link for
// the stable version is https://kea.readthedocs.io/).
//
// This configuration file contains only DHCP DDNS daemon's configuration.
// If configurations for other Kea services are also included in this file they
// are ignored by the DHCP DDNS daemon.
{
// DHCP DDNS configuration starts here. This is a very simple configuration
// that simply starts the DDNS daemon, but will not do anything useful.
// See Section 11 for examples and details description.
"DhcpDdns":
{
"ip-address": "127.0.0.1",
"port": 53001,
"control-socket": {
"socket-type": "unix",
"socket-name": "kea-ddns-ctrl-socket"
},
"tsig-keys": [
{ "name": "tsig-key",
"algorithm": "hmac-sha256",
"secret": "Lh4eU13Kay9ZR4Wjf5r7+L5Bx11PWWlpkjyHqEUCLQE=" }
],
"forward-ddns" : {
"ddns-domains" : [
{
"name": "example.",
"key-name": "tsig-key",
"dns-servers": [
{ "ip-address": "192.168.10.1" }
]
}
]
},
"reverse-ddns" : {
"ddns-domains" : [
{
"name": "10.168.192.in-addr.arpa.",
"key-name": "tsig-key",
"dns-servers": [
{ "ip-address": "192.168.10.1" }
]
}
]
},
// Logging configuration starts here. Kea uses different loggers to log various
// activities. For details (e.g. names of loggers), see Chapter 18.
"loggers": [
{
// This specifies the logging for D2 (DHCP-DDNS) daemon.
"name": "kea-dhcp-ddns",
"output-options": [
{
// Specifies the output file. There are several special values
// supported:
// - stdout (prints on standard output)
// - stderr (prints on standard error)
// - syslog (logs to syslog)
// - syslog:name (logs to syslog using specified name)
// Any other value is considered a name of the file
"output": "stdout",
// Shorter log pattern suitable for use with systemd,
// avoids redundant information
"pattern": "%-5p %m\n"
// This governs whether the log output is flushed to disk after
// every write.
// "flush": false,
// This specifies the maximum size of the file before it is
// rotated.
// "maxsize": 1048576,
// This specifies the maximum number of rotated files to keep.
// "maxver": 8
}
],
// This specifies the severity of log messages to keep. Supported values
// are: FATAL, ERROR, WARN, INFO, DEBUG
"severity": "INFO",
// If DEBUG level is specified, this value is used. 0 is least verbose,
// 99 is most verbose. Be cautious, Kea can generate lots and lots
// of logs if told to do so.
"debuglevel": 0
}
]
}
}
named.conf.local
//
// Do any local configuration here
//
key "tsig-key" {
algorithm hmac-sha256;
secret "Lh4eU13Kay9ZR4Wjf5r7+L5Bx11PWWlpkjyHqEUCLQE=";
};
zone "example" IN {
type master;
file "/var/cache/bind/sites/example/forward.zone";
allow-update { key "rndc_key"; };
zone-statistics yes;
notify no;
# also-notify { };
};
zone "10.168.192.in-addr.arpa" {
type master;
file "/var/cache/bind/sites/example/reverse.zone";
allow-update { key "rndc_key"; };
zone-statistics yes;
notify no;
# also-notify { };
};
named.conf.options:
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
# listen-on-v6 { any; };
listen-on-v6 { none; };
listen-on port 53 {
127.0.0.1;
192.168.10.1;
};
};
--
Does anybody read signatures any more?
https://charlescurley.com
https://charlescurley.com/blog/
More information about the Kea-users
mailing list