BIND later than 9.18.10 does not forward TSIG signed DDNS updates
BIND 9.18.10 works as expected, however BIND 9.18.12 and 9.18.13 do not forward TSIG signed DDNS updates.
client --> BIND secondary --> BIND primary
Observed behavior in BIND 9.18.12 and 9.18.13
The client signs the DDNS update with the ddns-key and forwards the signed update to the secondary. The secondary drops the update without forwarding and logs
client @0xffffffff 2001:db8::3#12345: request has invalid signature: TSIG ddns-key: tsig verify failure (BADKEY)
Expected behavior as seen in 9.18.10 and earlier
The client signs the DDNS update with the ddns-key and forwards the signed update to the secondary. The secondary forwards the update to the primary. The primary verifies and ddns tsig key and updates the zone.
relevant config is as follows
secondary:
primaries example.com {
2001:db8::1 key xfer-key;
};
zone "example.com" {
type secondary;
primaries { example.com; };
allow-update-forwarding { any; };
file "/var/named/example.com";
};
primary:
options {
allow-transfer {
key xfer-key;
};
}
zone "example.com" {
type primary;
update-policy {
grant ddns-key wildcard *.example.com TXT;
};
file "/var/named/example.com";
};