Linux

BIND 9 的 nsupdate dyndns 更新給出:“tsig verify failure (BADKEY)”

  • September 7, 2019

我已經在 DDNS 上瀏覽了這麼多 HOWTO 頁面來嘗試解決這個問題……我不知所措。

WorkstationX = CentOS 6.2 x64 ServerX = Ubuntu 12.04 LTS x64

我不明白為什麼它不起作用……我真的沒有想法。我已經多次重新生成並重新配置了所有內容。

我已經確定:

其中一些具有不同的生成密鑰的方式,但其餘的都是相同的……而且,當我嘗試 nsupdate 時 - 即使在執行 dnssec-keygen 的伺服器上(以及 bind 所在的位置),我也會得到相同的日誌條目:

Aug 14 11:20:38 vps named[31247]: 14-Aug-2013 11:20:38.032 security: error: client 127.0.0.1#29403: view public: request has invalid signature: TSIG domain2.com.au.: tsig verify failure (BADKEY)

從這個nsupdate:

nsupdate -k Kdomain2.com.au.+157+35454.key
server localhost
zone domain2.com.au.
update add test.domain2.com.au. 86400 IN A 10.20.30.40
show
send

我收集的是正確的生成方法:

dnssec-keygen -a HMAC-MD5 -b 512 -n HOST domain2.com.au.

named.conf (IP 已更改為隱私):

acl ipv4                { 0.0.0.0/0; };
acl ipv6                { 2000::/3; ::1; fe80::/10; fec0::/10; };
acl safehosts           { 127.0.0.0/8; 3.2.2.40; 44.44.14.12; };

include "/etc/bind/rndc.key";

controls {
       inet * port 953
       allow { safehosts; } keys { "rndc-key"; };
};

options
{
       auth-nxdomain           yes;
       empty-zones-enable      no;
       zone-statistics         yes;
       dnssec-enable           yes;
       listen-on               { any; };
       listen-on-v6            { any; };
       directory               "/etc/bind/db";
       managed-keys-directory  "/etc/bind/keys";
       memstatistics-file      "/etc/bind/data/bind.memstats";
       statistics-file         "/etc/bind/data/bind.qstats";
};

logging
{
## CUT ##
};

view "public"
{
   recursion           yes;
   allow-query-cache   { safehosts; };
   allow-recursion     { safehosts; };

zone "." IN {
   type            hint;
   file            "root.zone";
};

zone "0.0.127.in-addr.arpa" {
   type            master;
   allow-update    { none; };
   allow-transfer  { none; };
   file            "0.0.127.in-addr.arpa.zone";
};

zone "localhost" {
   type            master;
   allow-update    { none; };
   allow-transfer  { none; };
   file            "localhost.zone";
};

zone "3.2.2.in-addr.arpa" {
   type            master;
   allow-update    { none; };
   allow-transfer  { none; };
   file            "3.2.2.in-addr.arpa.zone";
};

zone "domain1.com.au" {
   type            master;
   notify          yes;
   allow-update    { key "rndc-key"; };
   allow-transfer  { key "rndc-key"; };
   file            "domain1.com.au.zone";
};

zone "domain2.com.au" {
   type            master;
   notify          yes;
   allow-update    { key "rndc-key"; };
   allow-transfer  { key "rndc-key"; };
   file            "doomain2.com.au.zone";
};
};

/etc/bind/rndc.key:

key "rndc-key" {
   algorithm hmac-md5;
   secret "vZwCYBx4OAOsBrbdlooUfBaQx+kwEi2eLDXdr+JMs4ykrwXKQTtDSg/jp7eHnw39IehVLMtuVECTqfOwhXBm0A==";
};

Kdomain1.com.au.+157+35454.private

Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: vZwCYBx4OAOsBrbdlooUfBaQx+kwEi2eLDXdr+JMs4ykrwXKQTtDSg/jp7eHnw39IehVLMtuVECTqfOwhXBm0A==
Bits: AAA=
Created: 20130814144733
Publish: 20130814144733
Activate: 20130814144733

nsupdate有一些怪癖,並在使用-k. 從手冊頁中,我認為您的鍵名可能會被稱為domain2.com.au.

你能試試下面的嗎?

nsupdate -y \
 'rndc-key:vZwCYBx4OAOsBrbdlooUfBaQx+kwEi2eLDXdr+JMs4ykrwXKQTtDSg/jp7eHnw39IehVLMtuVECTqfOwhXBm0A=='

您必須使用您創建密鑰的密鑰名稱作為配置中的名稱。據我所知,您必須使用:

key "domain2.com.au" {
  [...]
}

BIND 文件

驗證傳入請求是否已使用與此名稱**、算法和機密****匹配**的密鑰進行簽名。

引用自:https://serverfault.com/questions/531112