Linux
BIND 9 的 nsupdate dyndns 更新給出:“tsig verify failure (BADKEY)”
我已經在 DDNS 上瀏覽了這麼多 HOWTO 頁面來嘗試解決這個問題……我不知所措。
WorkstationX = CentOS 6.2 x64 ServerX = Ubuntu 12.04 LTS x64
我不明白為什麼它不起作用……我真的沒有想法。我已經多次重新生成並重新配置了所有內容。
我已經確定:
在兩台主機上執行 NTPD,我已驗證 NTP 工作正常
TZ 對於兩個節點都是正確的(硬體是 UTC)
我遵循了這些指南:
- http://linux.yyz.us/nsupdate/
- http://agiletesting.blogspot.com.au/2012/03/dynamic-dns-updates-with-nsupdate-and.html
- http://www.cheshirekow.com/wordpress/?p=457
- http://www.erianna.com/nsupdate-dynamic-dns-updates-with-bind9
- http://consultancy.edvoncken.net/index.php/HOWTO_Manage_Dynamic_DNS_with_nsupdate
- http://blog.philippklaus.de/2013/01/updating-dns-entries-with-nsupdate-or-alternative-implementations-your-own-ddns/
其中一些具有不同的生成密鑰的方式,但其餘的都是相同的……而且,當我嘗試 nsupdate 時 - 即使在執行 dnssec-keygen 的伺服器上(以及 bind 所在的位置),我也會得到相同的日誌條目:
Aug 14 11:20:38 vps named[31247]: 14-Aug-2013 11:20:38.032 security: error: client 127.0.0.1#29403: view public: request has invalid signature: TSIG domain2.com.au.: tsig verify failure (BADKEY)
從這個nsupdate:
nsupdate -k Kdomain2.com.au.+157+35454.key server localhost zone domain2.com.au. update add test.domain2.com.au. 86400 IN A 10.20.30.40 show send
我收集的是正確的生成方法:
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST domain2.com.au.
named.conf (IP 已更改為隱私):
acl ipv4 { 0.0.0.0/0; }; acl ipv6 { 2000::/3; ::1; fe80::/10; fec0::/10; }; acl safehosts { 127.0.0.0/8; 3.2.2.40; 44.44.14.12; }; include "/etc/bind/rndc.key"; controls { inet * port 953 allow { safehosts; } keys { "rndc-key"; }; }; options { auth-nxdomain yes; empty-zones-enable no; zone-statistics yes; dnssec-enable yes; listen-on { any; }; listen-on-v6 { any; }; directory "/etc/bind/db"; managed-keys-directory "/etc/bind/keys"; memstatistics-file "/etc/bind/data/bind.memstats"; statistics-file "/etc/bind/data/bind.qstats"; }; logging { ## CUT ## }; view "public" { recursion yes; allow-query-cache { safehosts; }; allow-recursion { safehosts; }; zone "." IN { type hint; file "root.zone"; }; zone "0.0.127.in-addr.arpa" { type master; allow-update { none; }; allow-transfer { none; }; file "0.0.127.in-addr.arpa.zone"; }; zone "localhost" { type master; allow-update { none; }; allow-transfer { none; }; file "localhost.zone"; }; zone "3.2.2.in-addr.arpa" { type master; allow-update { none; }; allow-transfer { none; }; file "3.2.2.in-addr.arpa.zone"; }; zone "domain1.com.au" { type master; notify yes; allow-update { key "rndc-key"; }; allow-transfer { key "rndc-key"; }; file "domain1.com.au.zone"; }; zone "domain2.com.au" { type master; notify yes; allow-update { key "rndc-key"; }; allow-transfer { key "rndc-key"; }; file "doomain2.com.au.zone"; }; };
/etc/bind/rndc.key:
key "rndc-key" { algorithm hmac-md5; secret "vZwCYBx4OAOsBrbdlooUfBaQx+kwEi2eLDXdr+JMs4ykrwXKQTtDSg/jp7eHnw39IehVLMtuVECTqfOwhXBm0A=="; };
Kdomain1.com.au.+157+35454.private
Private-key-format: v1.3 Algorithm: 157 (HMAC_MD5) Key: vZwCYBx4OAOsBrbdlooUfBaQx+kwEi2eLDXdr+JMs4ykrwXKQTtDSg/jp7eHnw39IehVLMtuVECTqfOwhXBm0A== Bits: AAA= Created: 20130814144733 Publish: 20130814144733 Activate: 20130814144733
nsupdate
有一些怪癖,並在使用-k
. 從手冊頁中,我認為您的鍵名可能會被稱為domain2.com.au
.你能試試下面的嗎?
nsupdate -y \ 'rndc-key:vZwCYBx4OAOsBrbdlooUfBaQx+kwEi2eLDXdr+JMs4ykrwXKQTtDSg/jp7eHnw39IehVLMtuVECTqfOwhXBm0A=='
您必須使用您創建密鑰的密鑰名稱作為配置中的名稱。據我所知,您必須使用:
key "domain2.com.au" { [...] }
從BIND 文件:
驗證傳入請求是否已使用與此名稱**、算法和機密****匹配**的密鑰進行簽名。