I'm running v9.16.42.
I have defined a key in named.conf:
|key "acme-dns01" { algorithm hmac-sha256; secret
"+m8fujTWD3qb0LkJFP7HPCZAbLlWBMtwtbNPEkvAt7E="; };|
This has worked:
|$ rndc tsig-list view "Default"; type "static"; key "acme-dns01"; view
"Default"; type "static"; key "local-ddns"; view "Default"; type
"static"; key "rndc-key"; view "_bind"; type "static"; key "acme-dns01";
view "_bind"; type "static"; key "local-ddns"; view "_bind"; type
"static"; key "rndc-key";|
I'm using the key in a |grant| (but this doesn't really matter):
|update-policy { grant acme-dns01 zonesub txt; };|
When I try to make use of the "key:secret" using |nsupdate|, it is sent
as expected:
|;; TSIG PSEUDOSECTION: acme-dns01. 0 ANY TSIG hmac-md5.sig-alg.reg.int.
1705509748 300 16 tcU/8lYs1VEPZfcM5C3hZw== 13850 NOERROR 0 |
But I get a |BADKEY| in the response, which means that the key is
unknown <https://bind9.readthedocs.io/en/v9.16.42/advanced.html#errors>.
This information can also be found in the log:
|| Jan 17 17:46:10 | named | 23910 | dnssec: debug 2: tsig key
'acme-dns01': unknown key|
I couldn't find any additional required action to make the key known in
the manual
<https://bind9.readthedocs.io/en/v9.16.42/reference.html#key-statement-definition-and-usage>.
It is defined globally and should be available in all views (and the
output from tsig-list confirms this).
As this has been rejected as an error within minutes
(https://gitlab.isc.org/isc-projects/bind9/-/issues/4539) it must be a
user error. However, I have gone through the manual and a dozen of
posting about how to set this up and couldn't find a single information
about what's wrong. Could somebody please provide a hint? Thank you!
- Michael
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
