<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
Answering myself: <br>
<br>
the problem is only the fact that (don't know why...) but password
in TSIG-KEYS is between single quotes.<br>
Removing those keys and recreating them after the upgrade solved my
problem.<br>
<br>
Cheers<br>
<br>
<div class="moz-cite-prefix">Il 15/12/2022 10:35, Andrea Biancalani
ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:bb6806c1-6dde-3c2e-d14d-2c02b60ae78a@conmet.it">Hello
there, <br>
<br>
I've recently updated my PDNS Authoritative from 4.6.4 to 4.7.3
and I've noticed my dynamic DNS updates has broken.<br>
<br>
Just to make an example:<br>
<br>
<ol>
<li>create a new zone (aka: 123.com)</li>
<li>set meta-data for that zone allowing update for specific IP,
key name, alghorithm<br>
</li>
<li>send an nsupdate command</li>
</ol>
<p>(you can follow offical documentation to do that: <a
class="moz-txt-link-freetext"
href="https://doc.powerdns.com/authoritative/dnsupdate.html#per-zone-settings"
moz-do-not-send="true">https://doc.powerdns.com/authoritative/dnsupdate.html#per-zone-settings</a>)</p>
<p>when I try to update that zone through nsupdate from an allowed
IP, using correct tsig-key name + password it throws an error:</p>
<p><br>
</p>
<p>META values for 123.com</p>
<blockquote type="cite">
<p>root@ns1:~# pdnsutil get-meta 123.com<br>
Dec 15 10:31:36 [bindbackend] Parsing 0 domain(s), will report
when done<br>
Dec 15 10:31:36 [bindbackend] Done parsing domains, 0
rejected, 0 new, 0 removed<br>
Metadata for '123.com'<br>
ALLOW-DNSUPDATE-FROM = X.X.X.X/32 <b><-- My allowed IP to
set dyndns update through RFC2136</b><br>
SOA-EDIT-API = DEFAULT<br>
TSIG-ALLOW-DNSUPDATE = 123-test <b><-- KEY NAME</b></p>
<p>root@ns1:~# pdnsutil list-tsig-keys<br>
Dec 15 10:31:50 [bindbackend] Parsing 0 domain(s), will report
when done<br>
Dec 15 10:31:50 [bindbackend] Done parsing domains, 0
rejected, 0 new, 0 removed<br>
123-test. hmac-md5. '<b>1Q7VGkGcK6p46S0OVG2K5cm2DWUFQXEqP12pDjuLbJk=</b>'
<-- <b>KEY PASSWORD</b></p>
</blockquote>
<br>
<p>command sent: <br>
</p>
<p> </p>
<blockquote type="cite">nsupdate <<!<br>
server <b><i><MY DNS REMOTE SERVER></i></b> 53<br>
zone 123.com<br>
update add test1.123.com 3600 TXT "this is a test"<br>
key hmac-md5:123-test
1Q7VGkGcK6p46S0OVG2K5cm2DWUFQXEqP12pDjuLbJk=<br>
send<br>
!</blockquote>
<br>
<p>Result:<br>
</p>
<p> </p>
<blockquote type="cite">Dec 15 10:23:26 ns1 pdns_server[3782843]:
Packet for '123.com' denied: Signature with TSIG key '123-test'
failed to validate<br>
Dec 15 10:24:05 ns1 pdns_server[3782843]: Packet for '123.com'
denied: Signature with TSIG key '123-test' failed to validate</blockquote>
<br>
Is this a bug? Have I to write down a ticket on github about this?
<p>Kind regards, <br>
</p>
<p>Andrea</p>
</blockquote>
<br>
<div class="moz-signature">-- <br>
Andrea Biancalani - <i>Rep. Commerciale e Tecnico</i><br>
<b>Connessioni Metropolitane srl</b><br>
Via G. Valentini, 14 - Prato (PO) - 59100<br>
Sito web: <a href="https://www.conmet.it"
class="moz-txt-link-freetext">https://www.conmet.it</a><br>
Tel. 0574 536553<br>
Fax. 0574 536554<br>
</div>
</body>
</html>