[Pdns-users] tsig key not being accepted
Otto Moerbeek
otto at drijf.net
Mon Jan 30 20:31:31 UTC 2023
On Sat, Jan 28, 2023 at 09:58:22AM -0500, Larry Wapnitsky via Pdns-users wrote:
> (domain names and keys changed in production from these values)
>
> I'm running the following:
>
> root at ns1:~# pdns_server --version
> Jan 28 09:54:21 PowerDNS Authoritative Server
> 4.8.0-alpha0.1002.master.g13427ee56 (C) 2001-2022 PowerDNS.COM BV
> Jan 28 09:54:21 Using 64-bits mode. Built using gcc 9.4.0 on Jan 18 2023
> 12:08:28 by root at 4f762a9684f6.
>
> I was able (until yesterday) to update DNS entries using RFC2136, but am
> now receiving the following error:
>
> Packet for 'mydomain.com' denied: Signature with TSIG key 'dhcpupdate' does
> not match the expected algorithm (hmac-sha256 / hmac-md5.sig-alg.reg.int)
>
> My TSIG key is set as follows:
>
> root at ns1:~# pdnsutil generate-tsig-key dhcpupdate hmac-sha256Create new
> TSIG key dhcpupdate hmac-sha256
> W/ThmvveOYiOKDiMA/tphcm0bu+XsdHxmIPa5anY+U8NO94n8j5I7L7rTfrlTE7NRhTrbeRJ2f7s0oTiwWc9BA==
>
> and the configuration in my RFC2136 client (opnsense) is:
>
> [image: 2023-01-28_09-57.png]
>
> Advice is very welcome on how to diagnose. I've recreated the keys multiple
> times to no avail.
>
> Thank you.
>
> *Larry G. Wapnitsky*
>
>
> *E: Larry at Wapnitsky.com*
> *Web: Larry.Wapnitsky.com <http://larry.wapnitsky.com/>*
If it worked before yesterday, it would be very good to know what changed:
- the auth server software version? What version were your running before?
- the RFC2136 client? Same question.
-Otto
More information about the Pdns-users
mailing list