nsupdate, getting BADKEY error

Question

I'm trying to update a name using nsupdate executed from within the name server itself but I receive the error message ; TSIG error with server: tsig indicates error.

I created a key with dnssec-keygen -a hmac-md5 -b 512 -n HOST -r /dev/urandom dyn.mydomain.com. and copied the secret into the named.conf.

My named.conf is as follows

key "dyn.mydomain.com." {
   algorithm hmac-md5;
   secret "T2DjtGkGAzPAVrL6zar9GpxjNQ1iOjJzWKhPsF5gu0xQbaONhK7ZmC0n WKatgbGEHqla1uoxG3FdktQPolMIjQ==";
};
zone "dyn.mydomain.com." {
   type master;
   file "/var/cache/bind/dyn.mydomain.com.hosts";
   allow-update {
       key "dyn.mydomain.com.";
   };
};

The file dyn.mydomain.com.hosts looks as follows:

$ORIGIN .
$TTL 8400       ; 2 hours 20 minutes
dyn.mydomain.com  IN SOA  ns. root. (
                           2007072513 ; serial
                           7200       ; refresh (2 hours)
                           900        ; retry (15 minutes)
                           1857600    ; expire (3 weeks 12 hours)
                           8400       ; minimum (2 hours 20 minutes)
                           )
                   NS      ns.dyn.mydomain.com.
$ORIGIN dyn.mydomain.com.
ns                      A       [ip of this name server]
$TTL 60 ; 1 minute

I restadt bind9, then use

nsupdate -v -d -k /etc/bind/Kdyn.mydomain.com.+157+53489.private
> server localhost
> zone dyn.mydomain.com
> update add test.dyn.mydomain.com IN A 80.80.80.80
> send

Sending update to 127.0.0.1#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  50553
;; flags: ; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;dyn.mydomain.com.                   IN      SOA

;; UPDATE SECTION:
test.dyn.mydomain.com.       60      IN      A       80.80.80.80

;; TSIG PSEUDOSECTION:
dyn.mydomain.com.            0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1325777156 300 16 5k3AkgLuCziNKtaeb39MRE== 50553 NOERROR 0

; TSIG error with server: tsig indicates error

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id:  50553
;; flags: qr ra ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; TSIG PSEUDOSECTION:
dyn.mydomain.com.            0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1325777156 300 0  50553 BADKEY 0

What can be the reason?

score 3 · Accepted Answer · answered Jan 13 '12 at 14:54

3

Are you sure you are using the right key, there is no other keys in your /etc/bind/ dir ? :-)

If so, check the permissions of your key file ?

chmod 400 /etc/bind/Kdyn.mydomain.com.+157+53489.private

Also, make sure that your secret match what dnssec-keygen have generated

(hint: the space in your secret line )

answered Jan 13 '12 at 14:54

jflaflamme

306
1
2

I thought the spaces may be relevant when I looked at this but when I tested it I discovered they aren't. – user9517 Jan 14 '12 at 10:42
What about the permissions? – jflaflamme Jan 14 '12 at 14:48
Thanks for your suggestion. Permissions were already 400 but I changed to 640 but didn't help unfortunately. I'm still not sure about the spaces in the key. Copied it from the .key file with the spaces, is this correct? – stracktracer Jan 15 '12 at 09:39
2

I got the problem: I'm using a server with plesk configuration interface, and it seems plesk does not use /etc/bind/named.conf as configuration file (though it exists) but it uses the files in chroot directory /var/named/run-root/etc. Confusing was that no symlink in the 1st directory existed... Your suggestion helped me to find the cause, so I'll award the bounty to you. – stracktracer Jan 15 '12 at 14:34

nsupdate, getting BADKEY error

1 Answers1