TSIG error with server: tsig verify failure

Integration in devices/software
#1

Hi,

I’m trying to update records with TSIG keys:

nsupdate -d
> server ns1.dynv6.com
> zone myhost.v6.rocks
> update delete myhost.v6.rocks A
> update add myhost.v6.rocks 60 A xxx.xxx.xxx.xxx
> key hmac-sha256:tsig-123.dynv6.com MySHAREDsecret==
> send
Sending update to 95.216.144.82#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:   6196
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; ZONE SECTION:
;myhost.v6.rocks.                        IN      SOA

;; UPDATE SECTION:
myhost.v6.rocks.         0       ANY     A
myhost.v6.rocks.         60      IN      A       xxx.xxx.xxx.xxx

;; TSIG PSEUDOSECTION:
tsig-123.dynv6.com.      0       ANY     TSIG    hmac-sha256. 1628541072 300 32 kvGyBB/0twqVABRreMs/YbufHjYvYAfwU5aoAykwmZs= 6196 NOERROR 0

; TSIG error with server: tsig verify failure

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOTIMP, id:   6196
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; ZONE SECTION:
;myhost.v6.rocks.                        IN      SOA

;; UPDATE SECTION:
myhost.v6.rocks.         0       ANY     A
myhost.v6.rocks.         60      IN      A       xxx.xxx.xxx.xxx

;; TSIG PSEUDOSECTION:
tsig-123.dynv6.com.      0       ANY     TSIG    hmac-sha256. 1628541072 300 32 kvGyBB/0twqVABRreMs/YbufHjYvYAfwU5aoAykwmZs= 6196 NOERROR 0

Unfortunately I get a TSIG error with server: tsig verify failure and the record isn’t updated. What am I doing wrong here?

BR

#2

Ok, so the issue is that I have DNS over TLS (DoT) active on my whole network, i.e. all DNS request with destination port 53 are redirected to my router which sends them encrypted to DoT nameservers on port 853 :thinking: As soon as I turn off DoT, nsupdate works as expected.

Basically I’d like to use certbot to automatically retrieve Let’s Encrypt certificates and utilize the DNS-01 challenge, hence the DNS entry updates via TSIG keys. Does anybody know if and how this can be achieved?

EDIT: I guess I’m looking for the TLS-ALPN-01 challenge then (Challenge Types - Let's Encrypt) which is currently not supported by certbot :weary:

#3

I’m using dehydrated instead of certbot on my Pi for Let’s Encrypt wildcard certs.

For dehydrated you basically just need a custom hook (GitHub - movd/dynv6-dehydrated-hook: dns-01 hook script to use dynv6.com with dehydrated (a great ACME) and then configure dehydrated for using it with something like this:

HOOK="/opt/dehydrated-0.7.0/dynv6-hook/hook.sh"
#4

Thanks a lot for the input! I guess with dehydrated the issue would still persist though as the challenge is the same, i.e DNS-01. I pressume you do not use DNS over TLS?

However, I was able to workaround the issue by allowing outgoing DNS traffic (destination port 53) to the ns1.dynv6.com DNS server, i.e. for that specific host no redirect/NAT to my firewall/local DNS server is done and therefore no DoT.

#5

Actually not since I’m running an unbound resolver for my Pi-Hole and such “advanced” firewall rules don’t work with a shitty consumer FritzBox either.

Edit:
dehydrated supports TLS-ALPN as verification method but don’t know if it would work for you: dehydrated/tls-alpn.md at master · dehydrated-io/dehydrated · GitHub

#6

My first impression was that TLS-ALPN-01 would be the solution, however, it is simliar to the HTTP-01 challenge but only with TLS, i.e. one still needs to have port 443 open. Furthermore wildcard certificates are not supported with that challenge type. So DNS-01 seems te best fit for me. With the firewall exception rule for the dynv6 DNS server it seems to work just fine.

Regarding off-the-shelf routers/firewalls: I can recommend pfsense :grin: I had a Fritzbox and a Synology router and was just annoyed by them, especially the Synology one.