Tsig indicates error: msg#00188

I believe that I've RTFM'd as much as possible, but something is 
escaping me.

I have generated a a key using the following:

dnssec-keygen -a hmac-md5 -b 128 -n HOST ns.ABS-CompTech.com

which creates a key and a private file:

 ls K*
Kns.abs-comptech.com.+157+14572.key  Kns.abs-comptech.com.+157+14572.private

Which have the following contents:

more K*
::::::::::::::
Kns.abs-comptech.com.+157+14572.key
::::::::::::::
ns.ABS-CompTech.com. IN KEY 512 3 157 Dal4ei7dnB3vJwAJ1SYd2Q==
::::::::::::::
Kns.abs-comptech.com.+157+14572.private
::::::::::::::
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: Dal4ei7dnB3vJwAJ1SYd2Q==

My named.conf file contains the following paragraphs:

// the TSIG key generated by nsupdate
 key keyname2 {
  algorithm hmac-md5;
  secret Dal4ei7dnB3vJwAJ1SYd2Q==;
  };

as well as:
zone "ftroop.com" {
        type master;
        file "run/named.ftroop.com";
        allow-transfer{
                192.168.99.3;
                66.93.61.157;
        };
//      allow-update{ localhost; };
//      update-policy{ grant keyname2 subdomain ftroop.com; };
        allow-update{ key keyname2; };
};

The problem is that the use of the keyname appears to not work.  I can 
update without a key (using the allow-update clause), but not with a 
keyname (niether the update-policy or allow-update statements function.).

nsupdate -d -v -k ./Kns.abs-comptech.com.+157+14572.private
Creating key...

>>
>> update delete mail2.ftroop.com. A
>>
>  
>
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  24208
;; flags: qr aa rd ra ; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;mail2.ftroop.com.                        IN      SOA

;; AUTHORITY SECTION:
ftroop.com.               86400   IN      SOA     ns.ABS-CompTech.com. 
root.ns.ABS-CompTech.com. 2003082602 10800 3600 3600000 86400


Found zone name: ftroop.com
The master is: ns.ABS-CompTech.com
before getaddrinfo()
; TSIG error with server: tsig indicates error

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id:  50718
;; flags: qr ra ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; TSIG PSEUDOSECTION:
ns.abs-comptech.com.    0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 
1061997129 300 0  50718 BADKEY 0



>>
>  
>

Any Suggestions?

Could this be due to the use of Mixed case in the ns.ABS-CompTech.com 
hostname?  Is it because dnssec-keygen used hmac-md5 and the TSIG is 
comparing it to

hmac-md5.sig-alg.reg.int.?

TIA



-- 
Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant
--------------------------------------------------------------------------------
http://www.abs-comptech.com & http://www.No-JunkMail.com 
ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists
No-JunkMail.com - SPAM Stops Here.
Founding Board of Directors of Pittsburgh FBI - InfraGard

Previous by Date:	Re: Round Robin, Francisco Obispo
Next by Date:	Related to PTR, Swapana Ghosh
Previous by Thread:	Round Robin, Paul Zwagerman
Next by Thread:	Re: Tsig indicates error, Albert E. Whale, CISSP
Indexes:	[Date] [Thread] [Top] [All Lists]

<Prev in Thread]	Current Thread	[Next in Thread>

Tsig indicates error: msg#00188

Free Magazines