dnspython dynamic update PeerBadKey

Question

I'm working with dnspython attempting to perform updates against a BIND9 server, however I keep getting a Bad Key response (“tsig verify failure (BADKEY)”) - when I use nsupdate the key works just fine. Is there anyone who has successfully implemented dnspython to perform dynamic updates against BIND DNS?

Here is a GIST with all code and errors: https://gist.github.com/anonymous/0afc800ef0615aa7c1219ec25c032eef

score 4 · Accepted Answer · answered Mar 25 '17 at 15:09

I had to use the keyalgorithm parameter to the update.Update function, as well as import the specific algorithm from the dns.tsig module

from dns import query, update, tsigkeyring
from dns.tsig import HMAC_SHA256

key='EQSVvuA/KMAa/0ugdBBLqjxgP+o5rI7y8JoJbOICpJM='
bindhost='192.168.56.10'
ip='192.168.56.10'

keyring = tsigkeyring.from_text({
    'test.local' : key
    })

update = update.Update('test.local.', keyring=keyring, keyalgorithm=HMAC_SHA256)
update.replace('abc', 300, 'A', ip)

response = query.tcp(update, bindhost, timeout=10)

That you had to import the algorithm, is probably because of how you did the previous imports. This is how I did the same - but without that extra import: https://stackoverflow.com/a/47985135/1399595 — Leo, Dec 30 '17 at 17:05

dnspython dynamic update PeerBadKey

1 Answers1