I don't claim to be a crypto expert, but I thought keys of type "ZONE"
were only for the whole DNSSEC shebang (KEY/DNSKEY records, etc.). The
dhcp.conf man page example uses a "USER" key type, and I've always used
a "HOST" key type. Have you tried either of those?


- Kevin

Kamus of Kadizhar wrote:

>I know this has probably been discussed to death, so my apologies if I
>missed it in the archives....
>
>I just set up a new server. It's set up using Fedora Core 2.
>
>I am running bind 9.2.3 (BIND 9.2.3 -u named -t /var/named/chroot) and
>dhcpd V3.0.1rc14.
>
>I've been through my entire TSIG configuration; when a client is assigned
>a lease, I get:
>
>Oct 21 10:19:51 kahn dhcpd: Unable to add forward map from tnd-253.tnd.lan
>to 192.168.141.253: invalid TSIG key
>
>I have a similar set up with and older bind/dhcpd combination that works
>just fine. I set this one up identical to the old one; no joy.
>
>I recreated the keys
>
>dnssec-keygen -a HMAC-MD5 -b 128 -p 3 -n ZONE kahn.tnd.lan; no joy.
>
>I've tried the default keygen command from the dhcpd.conf manpage; no joy.
>
>I've been through a couple of FAQs on the web and I've checked my setup;
>it is as similar as I can make it, no joy. The only difference is that
>the old setup is not running chrooted bind; this one is. Does this make
>any difference to TSIG?
>
>named.conf:
>
>key kahn.tnd.lan {
> algorithm hmac-md5 ;
> secret "" ;
> } ;
>
>zone "tnd.lan"{
> type master;
> file "tnd.hosts";
> allow-update { key kahn.tnd.lan ; };
>};
>
>zone "141.168.192.in-addr.arpa"{
> type master;
> file "tnd.hosts.rev";
> allow-update { key kahn.tnd.lan ; };
>
>dhcpd.conf:
>
>ddns-update-style interim;
>
>key kahn.tnd.lan {
> algorithm hmac-md5 ;
> secret "" ;
> }
>
>zone tnd.lan. {
> key kahn.tnd.lan ;
> }
>
>zone 141.168.192.in-addr.arpa. {
> key kahn.tnd.lan ;
> }
>
>Can anyone give me some pointers on where to look? I can't for the life
>of me figure out what I'm doing wrong....
>
>Thanks,
>
>--Kamus
>
>
>
>
>
>