BADKEY in general is related to a configuration error. I recommend to look at messages on the wire to understand if the error is on the bind/server side or Kea side.
In the case the error is on the Kea side the BADKEY error when verifying a signed response is a key name mismatch i.e. the configured key name is not the same as the TSIG RR name (another point easy to check with the message dump). Note that key names are DNS names so you can use a FQDN e.g. a name in the server domain name (common practice) and of course they are case insensitive. If the problem is on the bind 9 side perhaps it was reported in its logs? Thanks Francis Dupont <fdup...@isc.org> PS: a secret mismatch gives BADSIG so IMHO this is around the key itself (name, algorithm, ...). PPS: looking the bind9 code for BADKEY you have: - key name mismatch - algorithm name mismatch (both logger as "key name and algorithm do not match") - unknown key (logged as "unknown key") logs are at category dnssec module tsig level 2. _______________________________________________ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users