tsig key not found
To be honest, I have doubts that this is a bug. But I don't have any other explanation.
I'm running v9.16.42.
I have defined a key in named.conf:
key "acme-dns01" {
algorithm hmac-sha256;
secret "+m8fujTWD3qb0LkJFP7HPCZAbLlWBMtwtbNPEkvAt7E=";
};
This has worked:
$ rndc tsig-list
view "Default"; type "static"; key "acme-dns01";
view "Default"; type "static"; key "local-ddns";
view "Default"; type "static"; key "rndc-key";
view "_bind"; type "static"; key "acme-dns01";
view "_bind"; type "static"; key "local-ddns";
view "_bind"; type "static"; key "rndc-key";
I'm using the key in a grant
(but this doesn't really matter):
update-policy { grant acme-dns01 zonesub txt; };
When I try to make use of the "key:secret" using nsupdate
, it is sent as expected:
;; TSIG PSEUDOSECTION:
acme-dns01. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1705509748 300 16 tcU/8lYs1VEPZfcM5C3hZw== 13850 NOERROR 0
But I get a BADKEY
in the response, which means that the key is unknown.
This information can also be found in the log:
| Jan 17 17:46:10 | named | 23910 | dnssec: debug 2: tsig key 'acme-dns01': unknown key
I couldn't find any additional required action to make the key known in the manual. It is defined globally and should be available in all views (and the output from tsig-list confirms this).
I consider it extremely unlikely that this problem has been unnoticed before. But on the other hand side, I have no idea why it doesn't work.