DNS-01 with FreeBSD 11.2 + bind rfc2136 hanging

Help
4

_az and others,

to try to get this resolved I have done considerable dns configuration cleanup to try to get to bottom if of problem. To this end I have been doing some initial testing with nsupdate.

I am getting “322 BADKEY 0” failure with nsupdate …

He is log of nsupdate test:

<TEST>
root@inside:/usr/local/etc/namedb # nsupdate -y hmac-sha512:tsig-key.in.graphica.com.au.:SkBsA8Tcse/ZQt0jwRc0CMXO0cn5FwyuCrB4GxrwBGeDVyq2oNS4eQMyIc1pGfPrDCGyluwnldb104azXjlgog== -v test-nsupdate-01.txt
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;in.graphica.com.au. IN SOA
;; UPDATE SECTION:
_acme-challenge.in.graphica.com.au. 0 NONE TXT “placeholder”
_acme-challenge.in.graphica.com.au. 10800 IN TXT “globber”
Sending update to 203.32.223.140#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 29322
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; ZONE SECTION:
;in.graphica.com.au. IN SOA
;; UPDATE SECTION:
_acme-challenge.in.graphica.com.au. 0 NONE TXT “placeholder”
_acme-challenge.in.graphica.com.au. 10800 IN TXT “globber”
;; TSIG PSEUDOSECTION:
tsig-key.in.graphica.com.au. 0 ANY TSIG hmac-sha512. 1570878747 300 64 KFyqqDH8neLUVkFyAi5XhdVkX59jTomDZ73gWHWIYlezy+HVgcApsNNC FhigCGjCyMzGsPVPQ4Kx9BsMG7PgNA== 29322 NOERROR 0
; TSIG error with server: tsig indicates error
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id: 29322
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;in.graphica.com.au. IN SOA
;; TSIG PSEUDOSECTION:
tsig-key.in.graphica.com.au. 0 ANY TSIG hmac-sha512. 1570878747 300 0 29322 BADKEY 0
<END>

Here is the contents of update require file

<CONTENTS>
server 203.32.223.140
debug yes
zone in.graphica.com.au.
update delete _acme-challenge.in.graphica.com.au. 10800 IN TXT “placeholder”
update add _acme-challenge.in.graphica.com.au. 10800 IN TXT “globber”
show
send
;lt;END OF CONTENT;gt;

Looking at log, it looks like the secret I am putting via command line is different from what is reported in TSIG PSEUDOSECTION.

Here is my named.conf section:

<SECTION>
#include “/usr/local/etc/namedb/tsig-key.in.graphica.com.au.key”
zone “in.graphica.com.au” {
type master;
file “/usr/local/etc/namedb/dynamic/db.in.graphica.com.au”;
allow-transfer {
203.11.73.20;
203.11.73.5;
};
update-policy {
grant tsig-key.in.graphica.com.au. name _acme-challenge.in.graphica.com.au. txt;
};
allow-query {
any;
};
};
<END SECTION>

An help with be appreciated. Thank you.

Ze Spring