<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 2/4/16 5:25 PM, Randy McEoin wrote:<br>
</div>
<blockquote
cite="mid:BY1PR0701MB176702A2FD1BA4F27AEA468BB6D10@BY1PR0701MB1767.namprd07.prod.outlook.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>I've run into an annoyance using Kea and PowerDNS. When Kea
is configured to perform DDNS to a PowerDNS Authoritative
server, it believes it fails the updates. In the
kea-ddns.log is the following:</p>
<p><br>
</p>
<p>DHCP_DDNS_INVALID_RESPONSE received response to DNS Update
message is malformed: TSIG verification failed: BADSIG<br>
</p>
<p><br>
</p>
<p>In PowerDNS's logs are a happy successful update. But
despite the successful update from PDNS's perspective, Kea
will retry two more times, which results in a total of 3
updates for the same set of records. Technically it all
works, but Kea thinks it did not and there are the wasted 2
additional updates.</p>
<p><br>
</p>
<p>Doing an update with nsupdate -D to PowerDNS shows that the
TSIG is valid.</p>
<p><br>
</p>
<p>I compiled the Kea source from github and tinkered enough
with tsig.cc's TSIGContext::verify enough to confirm that it's
the final return statement that does the return of
TSIGError::BAD_SIG(). I can't tell why any earlier check
doesn't return TSIGError::NOERROR().</p>
<p><br>
</p>
<p>I've tested out Kea with a BIND server and it works okay, no
TSIG errors. Also tried the original ISC DHCP with
PowerDNS and can see it works just fine with no griping from
it.</p>
<p><br>
</p>
<p>I've done packet captures using Kea, nsupdate, and ISC DHCP
as the requester DDNS, as well as trying out BIND or PowerDNS
as the destination. So far the only thing I've noticed is
that Kea sets the Original ID in the requesting packet to 0.
Both nsupdate and ISC DHCP set the Original ID equal to the
Transaction ID.</p>
<p><br>
</p>
<p>At this point I can't really tell if it's an issue with how
Kea handles the TSIG or PowerDNS. Anyone have some thoughts?</p>
<p><br>
</p>
<p>Thanks,</p>
<p>Randy</p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Kea-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Kea-users@lists.isc.org">Kea-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/kea-users">https://lists.isc.org/mailman/listinfo/kea-users</a>
</pre>
</blockquote>
<tt>Hello Randy:<br>
<br>
Thanks for reporting this and for providing the packet captures.
We'll look into it.<br>
<br>
Thomas Markwalder<br>
ISC Software Engineering<br>
</tt>
</body>
</html>