Bind - tsig verify failure (BADKEY) -bad DNS key

kudos · 08-02-2008, 04:43 AM

Hi

all i am have little problem with my BIND and DHCP server, the DHCP does not update my zone files, in the logs i am getting

Quote:

Aug 2 11:33:30 pdc named[3269]: client 127.0.0.1#32772: request has invalid signature: TSIG rndckey: tsig verify failure (BADKEY)
Aug 2 11:33:30 pdc dhcpd: Unable to add forward map from rob.dpsmn.sch.uk to 192.168.0.121: bad DNS key
Aug 2 11:33:30 pdc dhcpd: DHCPREQUEST for 192.168.0.121 from 00:50:8d:b5:aa:bb (rob) via eth0
Aug 2 11:33:30 pdc dhcpd: DHCPACK on 192.168.0.121 to 00:50:8d:b5:aa:bb (rob) via eth0
Aug 2 11:33:32 pdc named[3269]: client 127.0.0.1#32772: request has invalid signature: TSIG rndckey: tsig verify failure (BADKEY)
Aug 2 11:33:32 pdc dhcpd: Unable to add forward map from rob.dpsmn.sch.uk to 192.168.0.121: bad DNS key
Aug 2 11:33:32 pdc dhcpd: DHCPREQUEST for 192.168.0.121 from 00:50:8d:b5:aa:bb (rob) via eth0
Aug 2 11:33:32 pdc dhcpd: DHCPACK on 192.168.0.121 to 00:50:8d:b5:aa:bb (rob) via eth0

here my config files i am little lost as to why its doing this, it had worked before once i did update things stoped working tho.

My named.conf

Quote:

include "/etc/rndc.key";

acl trusted {
192.168.0.0/24;
127.0/8;
localnets;
localhost;
};

options {
listen-on port 53 { trusted; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
query-source port 53;
query-source-v6 port 53;
allow-query { trusted; };
allow-transfer { trusted;};
//internet dns
forwarders {208.67.22.222; 208.67.220.220;};
default-key "rndckey";
default-server 127.0.0.1;
default-port 953;
};

controls {
inet 127.0.0.1 port 953
allow {127.0.0.1;} keys { "rndckey"; };
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view localhost_resolver {
match-clients { trusted; };
match-destinations { trusted; };
recursion yes;
include "/etc/named.rfc1912.zones";
};

// include "/etc/rndc.key";

zone "." IN {
type hint;
file "named.ca";
};

zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.ip6.local";
allow-update { none; };
};

zone "255.in-addr.arpa" IN {
type master;
file "named.broadcast";
allow-update { none; };
};

zone "0.in-addr.arpa" IN {
type master;
file "named.zero";
allow-update { none; };
};
zone "dpsmn.sch.uk" {
type master;
file "dpsmn.sch.uk.zone";
allow-update { key "rndckey"; };
};

//This zone is for reverse lookups.
zone "0.168.192.in-addr.arpa" {
type master;
file "reverse.zone";//this file resides in /var/named/chroot/var/named
allow-update { key "rndckey"; };
};

my dhcpd.conf

Quote:

include "/etc/rndc.key";

ddns-domainname "dpsmn.sch.uk";
ddns-update-style interim;
ddns-rev-domainname "in-addr.arpa";
ddns-updates on; #allow dynamic dns
authoritative;
#master server for this domain

# Allow only the DHCP server to update DNS
#ignore client-updates;
allow client-updates;
allow unknown-clients;

zone 0.168.192.in-addr.arpa. {
primary 127.0.0.1;
key "rndckey";
}

zone dpsmn.sch.uk. {
primary 127.0.0.1;
key "rndckey";
}
#zone localhost {
#primary 127.0.0.1;
#key rndckey;
#}

#zone 0.0.127.in-addr.arpa {
#primary 127.0.0.1;
#key rndckey;
#}

#zone dpsmn.sch.uk. {
# primary 127.0.0.1;
# key rndckey;
#}

#
# Fixed IP addresses - will not be entered in the leases file.
#
host pdc {
# you can find the mac address of the machine by doing an ifconfig on the machine
hardware ethernet 00:0B:2B:17:2F:00;
fixed-address 192.168.0.2;
ddns-hostname pdc;
# dnns-rev-domainname "2.0.168.192";
}

#
# Subnet entries for 192.168.0.X
#

subnet 192.168.0.0 netmask 255.255.255.0 {

# Range of DHCP IP Addresses for this scope
range 192.168.0.20 192.168.0.126;

# Lease assignments Default = 1 day, Max = 2 days
default-lease-time 86400;
max-lease-time 172800;

# Configure Clients Default Gateway
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
}

dpsmn.sch.uk.zone

Quote:

$ORIGIN .
$TTL 86400 ; 1 day
dpsmn.sch.uk IN SOA pdc.dpsmn.sch.uk. admin.dpsmn.norfolk.sch.uk. (
14062026 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS pdc.dpsmn.sch.uk.
A 192.168.0.2
$ORIGIN dpsmn.sch.uk.
pdc A 192.168.0.2

reverse.zone

Quote:

$ORIGIN .
$TTL 86400 ; 1 day
0.168.192.in-addr.arpa IN SOA pdc.dpsmn.sch.uk. admin.dpsmn.norfolk.sch.uk. (
1406190730 ; serial
21600 ; refresh (6 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS pdc.dpsmn.sch.uk.
$ORIGIN 0.168.192.in-addr.arpa.
2 PTR pdc.dpsmn.sch.uk.

thanks, robert

chort · 08-02-2008, 05:06 AM

Did you change permissions on /etc/rndc,key? Are you chroot'ing BIND now and didn't copy rndc.key to the chroot directory?

Also, you need to comment out the following lines in named.conf:

Code:

query-source port 53;
query-source-v6 port 53;

They make you wide-open for DNS cache poisoning, even if you are on a patched version of BIND.

kudos · 08-02-2008, 05:58 AM

Quote:

Originally Posted by chort

Did you change permissions on /etc/rndc,key? Are you chroot'ing BIND now and didn't copy rndc.key to the chroot directory?

Also, you need to comment out the following lines in named.conf:

Code:

query-source port 53;
query-source-v6 port 53;

They make you wide-open for DNS cache poisoning, even if you are on a patched version of BIND.

thanks for the tips

ill comment them out

i got it all working now thanks

some reason the permisions had also changed on the chroot folders and files changed them back to named.named and all is well and dandy

thanks for your time
robert