0.16.5 DNS RFC2136 TSIG update fails with "TSIG key required, but packet does not contain key. Sending REFUSED"

Issues
1

Issue Description

Topic

Running the new 0.16.5 but powerdns only says TSIG key required, but packet does not contain key. Sending REFUSED

Validating with nsupdate

nsupdate -v -d -y hmac-sha256:stalwart:key <<EOF
server dns-ip 53
zone domain.io
update add tsig-test.domain.io 60 TXT "tsig-works"
send
EOF

Record is set and I can query it, meaning key is active and authorized for the zone

Running config

Type: RFC2136 (TSIG)

Connection
  Hostname: dns-ip
  Port:     53
  Protocol: UDP

Authentication
  TSIG Algorithm: HMAC-SHA256
  Key Name:       stalwart
  Key Secret:
    Type: Secret value
    Secret
      Secret: *****

Timing
  Timeout:                   30 s
  TTL:                       5 m
  Polling Interval:          15 s
  Propagation Timeout:       1 m
  Initial Propagation Delay: <none>

Details
  Description: PDNS
  Tenant:      <none>

Tried a secret file just in case but no luck. Running dnsdist in front of the PDNS servers but since the nsupdate works from any client (other servers, laptop, etc) I dont think it´s a config related to dnsdist or powerdns.

Anything more I can do to debug?

Expected Behavior

TSIG working/sending keys

Actual Behavior

TSIG arrives without key

Stalwart Version

v0.16.x

Installation Method

Binary (Linux)

Database Backend

RocksDB

Blob Storage

RocksDB

Search Engine

Internal

Directory Backend

Internal

2

This was a regression and it has been fixed.

3

Hi, I’m evaluating the enterprise version and facing the same issue. Can you tell in which release this error will be fixed? I’ve installed the latest version which seems to be 0.16.5

4

I can confirm that RFC2136 dynamic DNS updates are working now :slight_smile: