> I've been through a couple of FAQs on the web and I've
> checked my setup;
> it is as similar as I can make it, no joy. The only
> difference is that
> the old setup is not running chrooted bind; this one is.
> Does this make
> any difference to TSIG?

Unless you keep your keys in files outside the chroot, I don't
see how that would affect TSIG-behaviour.

I think you problem is more like this: To be able to use TSIG-keys,
you have to tell BIND not only about the key and what might be done
using the key (like DDNS-Updates), but you have to create an entry
of the following form for each machine that is to use TSIG:

server {
keys { kahn.tnd.lan; };

Remember that not only the key's secret but also the *name* of the key has to be the same
on all machines that are to use it.

Kind regards,
Benjamin Walkenhorst