topic DNS Problem in Operating System - Linux

DNS Problem

Piotr Kirklewski — Thu, 25 Nov 2010 13:52:28 GMT

client 127.0.0.1#57990: view localhost_resolver: request has invalid signature: TSIG rndckey: tsig verify failure (BADKEY)

Why do I get that please?

The system is CentOS 5.5 64-bit

dhcpd.conf:

[root@ddns001bri ~]# cat /etc/dhcpd.conf
authoritative;
include "/etc/rndc.key";
# Server configuration:

server-identifier ddns001bri;
ddns-domainname "xdomain.com.";
ddns-rev-domainname "in-addr.arpa.";
ddns-update-style interim;
ddns-updates on;
ignore client-updates;

# This is the communication zone

zone xdomain.com. {
primary 127.0.0.1;
key rndckey;
}

default-lease-time 21600; # 6 hours
max-lease-time 43200; # 12 hours

# Client configuration:

option domain-name "xdomain.com.";
option ip-forwarding off;

subnet 10.10.0.0 netmask 255.255.0.0 {
range 10.10.20.1 10.10.20.254;
option routers 10.10.0.1; # default gateway
option subnet-mask 255.255.0.0;
option broadcast-address 10.10.255.255;
option domain-name-servers 10.10.0.10;

zone 0.10.10.in-addr.arpa. {
primary 10.10.0.10;
key rndckey;
}

zone localdomain. {
primary 10.10.0.10;
key rndckey;
}

}

named.conf:

[root@ddns001bri ~]# cat /etc/named.conf
controls {
inet 127.0.0.1 allow {localhost; } keys { "rndckey"; };
};
// Add local zone definitions here.
zone "xdomain.com" {
type master;
file "xdomain.com.zone";
allow-update { key "rndckey"; };
notify yes;
};
zone "10.10.in-addr.arpa" {
type master;
file "10.10.in-addr.arpa.zone";
allow-update { key "rndckey"; };
notify yes;
};

include "/etc/rndc.key";

[root@ddns001bri ~]# ls -la /etc/rndc.key
lrwxrwxrwx 1 root named 31 Nov 14 06:06 /etc/rndc.key -> /var/named/chroot//etc/rndc.key

[root@ddns001bri ~]# ls -la /var/named/chroot//etc/rndc.key
-rw-r----- 1 root named 113 Nov 14 06:06 /var/named/chroot//etc/rndc.key

Re: DNS Problem

Matti_Kurkela — Thu, 25 Nov 2010 14:53:21 GMT

You've configured your DNS server to require transaction signatures (TSIGs) on DNS dynamic update requests. The error message says BIND was unable to verify the signature on a request.

Obviously I cannot see your /etc/rndc.key file. Perhaps the key was bad, or perhaps it was not readable by your DHCP server?

Is the key name correct?

The filename /etc/rndc.key suggests the key might have been generated using "rndc-confgen -a" or a similar command.

On my Debian system, the rndc.key file generated in this way contains a key statement like:

key "rndc-key" {
algorithm hmac-md5;
secret "secret_alphabet_soup";
};

NOTE: the name of the autogenerated key was "rndc-key", *not* "rndckey".

Please double-check the name of the key defined in your /etc/rndc.key file.

MK

Re: DNS Problem

Piotr Kirklewski — Thu, 25 Nov 2010 17:43:14 GMT

[root@ddns001bri ~]# cat /etc/rndc.key
key "rndckey" {
algorithm hmac-md5;
secret "6aTlgWGyZe83DXZbdRzwbu2j87RPOxWOq9FJml6ik0Dl50V6w2xlroXSchgK";
};

As you see the key is right.

Re: DNS Problem

Matti_Kurkela — Fri, 26 Nov 2010 10:45:38 GMT

OK... Does the DHCP server emit any error messages to syslog if you restart it?

MK

Re: DNS Problem

Piotr Kirklewski — Fri, 26 Nov 2010 17:17:50 GMT

Not much I'm afraid:

[root@ddns001bri ~]# tail -f /var/log/messages
Nov 14 07:20:54 localhost init: Trying to re-exec init
Nov 14 10:59:19 localhost dhclient: DHCPREQUEST on eth0 to 10.10.0.10 port 67
Nov 14 10:59:19 localhost dhclient: DHCPACK from 10.10.0.10
Nov 14 10:59:19 localhost dhclient: bound to 10.10.20.10 -- renewal in 16268 seconds.
Nov 14 15:30:26 localhost dhclient: DHCPREQUEST on eth0 to 10.10.0.10 port 67
Nov 14 15:30:27 localhost dhclient: DHCPACK from 10.10.0.10
Nov 14 15:30:27 localhost dhclient: bound to 10.10.20.10 -- renewal in 18214 seconds.
Nov 14 20:34:00 localhost dhclient: DHCPREQUEST on eth0 to 10.10.0.10 port 67
Nov 14 20:34:01 localhost dhclient: DHCPACK from 10.10.0.10
Nov 14 20:34:01 localhost dhclient: bound to 10.10.20.10 -- renewal in 20615 seconds.
Nov 14 23:25:58 localhost dhcpd: Internet Systems Consortium DHCP Server V3.0.5-RedHat
Nov 14 23:25:58 localhost dhcpd: Copyright 2004-2006 Internet Systems Consortium.
Nov 14 23:25:58 localhost dhcpd: All rights reserved.
Nov 14 23:25:58 localhost dhcpd: For info, please visit http://www.isc.org/sw/dhcp/
Nov 14 23:25:58 localhost dhcpd: Wrote 0 leases to leases file.
Nov 14 23:25:58 localhost dhcpd: Listening on LPF/eth0/00:0c:29:cb:60:30/10.10/16
Nov 14 23:25:58 localhost dhcpd: Sending on LPF/eth0/00:0c:29:cb:60:30/10.10/16
Nov 14 23:25:58 localhost dhcpd: Sending on Socket/fallback/fallback-net