to one of our own nameservers (running bind 9.2).
Analyzing the traffic between the router and the nameserver shows that the router
is sending a TSIG signed UPDATE query signed with HMAC-MD5. That's fine, because
that's exactly what our bind server is expecting, but I'm having problems to get our
bind server to accept the TSIG key from the MikroTik device.
Sending the update with the nsupdate program that comes with bind works just fine.
Here is what I'm doing with nsupdate:
where the key file looks like this
nsupdate -k Ktest.tmr-vpn.net.+157+21943.private -v update.txt
and the nsupdate command file looks like this
Private-key-format: v1.2 Algorithm: 157 (HMAC_MD5) Key: MXiaoTeY6RvdycbeINzm4Wj2qW7Ikamn2iI80+vhIxHD6D8DUWu7JsOmEG6o1nR/DHjrOGeUq5/Hqz9cA6Io5g==
and this works just fine. Now I'm trying to do exactly the same update from the MikroTik router, so I did this
server xx.yy.tmr.net zone tmr-vpn.net update delete test.tmr-vpn.net. A update add test.tmr-vpn.net. 86400 A 22.214.171.124 show send
but the bind server always rejects the update with an error saying that the key is bad.
/tool dns-update zone=tmr-vpn.net dns-server=x.y.z.z \ \... name=test address=126.96.36.199 \ \... key-name=test.tmr-vpn.net \ \... key="MXiaoTeY6RvdycbeINzm4Wj2qW7Ikamn2iI80+vhIxHD6D8DUWu7JsOmEG6o1nR/DHjrOGeUq5/Hqz9cA6Io5g=="
What am I doing wrong? Do I need to specify the key in some other format or something?
In addition, I noticed that the update that is sent from the MikroTik router to the DNS server
does not delete the A record prior to sending the (maybe) new one. That's no problem as
long as the address remains the same (but then, what's the point of the update), but as soon
as the address in the update differs from the one that is already stored in bind's zone for the
client, then this would add an additional A record for the same client, and so on...
So how is this supposed to work?