[Dnssec-deployment] Dynamic nsupdate errors?

Tim Tyler tyler at beloit.edu
Tue Jun 7 09:38:04 EDT 2011

  Yes, when I investigated a little more, I noticed that I may have
duplicated the process for creating the signing key and missed the
parameter for creating the dynamic update key.  I am going to start over
and be extra careful with my parameters.  Thanks!

-----Original Message-----
From: Edward Lewis [mailto:Ed.Lewis at neustar.biz]
Sent: Tuesday, June 07, 2011 7:03 AM
To: owens at nysernet.org
Cc: Tim Tyler; dnssec-deployment at dnssec-deployment.org
Subject: Re: [Dnssec-deployment] Dynamic nsupdate errors?

At 19:00 -0400 6/6/11, Bill Owens wrote:
>I think that's one of your DNSKEYs, for signing the zone. For nsupdate,
>you need to use a TSIG key or SIG(0) key.

Right, you are adding the "wrong" key to the nsupdate.

There are two kinds of keying material associated with DNS.  The
public-private keys that DNSSEC uses are entirely different than the
shared-secret keys that TSIG uses.  (I'm not bothering to cover TKEY or

The DNSSEC public-private keys are used this way.  The public key is put
into the zone, and is in the DNSKEY record.  The private key is, when you
are using dynamic update for a signed zone, placed somewhere that the
server can find the file.  "Somewhere" is a designated directory depending
on local configuration.  (I know BIND, not Redhat, ... that may determine
where "somewhere" is.)

The TSIG keys are for pair-wise (client to server and vice-versa)
security.  An dynamic update client (nsupdate) and a dynamic update server
(BIND) can use this to cryptographically checksum the DNS messages they
exchange.  The BIND server can use this checksum to authorize actions
(like allow dynamic updates) requested by the client.

TSIG is also useful for protecting XFR (Notify/AXFR/IXFR).  There are
alternate ways to secure that flow, I'm just saying TSIG is an option for
that too.

TSIG and DNSSEC are orthogonal.  You can have a signed dynamic update zone
that does not use TSIG.  You can use TSIG without signing the zone.  (This
is why when describing DNSSEC, TSIG is usually omitted, although TSIG was
developed at the same time as DNSSEC and pretty much by the same people,
the two are separable features.)

Edward Lewis
NeuStar                    You can leave a voice message at

Now, don't say I'm always complaining.
Wait, that's a complaint, isn't it?

More information about the Dnssec-deployment mailing list