DDNS suddenly failed: tsig indicates error

Hi all

I was abroad for some time. Coming back I realize that local name resolution is limited to static entries only. This >used< to work before I left, for years. I’d like to bring the functionality back again.

The very problem:

systemctl status dhcpd 
**●** dhcpd.service - ISC DHCPv4 Server 
     Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; enabled; vendor preset: disabled) 
     Active: **active (running)** since Thu 2022-10-13 17:19:05 CEST; 14h ago 
    Process: 7297 ExecStart=/usr/lib/dhcp/dhcpd -4 start (code=exited, status=0/SUCCESS) 
   Main PID: 7474 (dhcpd) 
      Tasks: 1 (limit: 4915) 
     CGroup: /system.slice/dhcpd.service 
             └─ 7474 /usr/sbin/dhcpd -4 -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid -chroot /var/lib/dhcp -lf /db/dhcpd.leases -user dhcpd -group nogroup eth0 

Okt 14 08:11:35 intra dhcpd[7474]: **Unable to add forward map from S22-von-Luccas.mydom.lan to 192.168.23.187: tsig indicates error**
Okt 14 08:12:12 intra dhcpd[7474]: DHCPREQUEST for 192.168.23.156 from 00:26:73:79:94:d6 via eth0 
Okt 14 08:12:12 intra dhcpd[7474]: DHCPACK on 192.168.23.156 to 00:26:73:79:94:d6 via eth0 
Okt 14 08:12:30 intra dhcpd[7474]: DHCPREQUEST for 192.168.23.155 from f8:95:c7:f4:66:27 via eth0 
Okt 14 08:12:30 intra dhcpd[7474]: DHCPACK on 192.168.23.155 to f8:95:c7:f4:66:27 via eth0 
Okt 14 08:12:44 intra dhcpd[7474]: DHCPREQUEST for 192.168.23.106 from 08:02:8e:8a:fa:e2 via eth0 
Okt 14 08:12:44 intra dhcpd[7474]: DHCPACK on 192.168.23.106 to 08:02:8e:8a:fa:e2 via eth0 
Okt 14 08:12:57 intra dhcpd[7474]: DHCPREQUEST for 192.168.23.165 from 7c:d3:0a:25:9e:78 (T620B) via eth0 
Okt 14 08:12:57 intra dhcpd[7474]: DHCPACK on 192.168.23.165 to 7c:d3:0a:25:9e:78 (T620B) via eth0 
Okt 14 08:12:57 intra dhcpd[7474]: **Unable to add forward map from T620B.[FONT=monospace]**mydom**.lan to 192.168.23.165: tsig indicates error**
[/FONT]

Here is what I got:

clients:

  • mostly laptops running OS Leap 15.4
  • some M$ W10/11 laptops
  • a few workshop cnc controllers running Debian with LinuxCNC
  • all nics / wlans configured for dhcp ipv4, all with latest updates as per 10-14-22

server:

  • OS Leap 15.4, latest updates as per 10-14-22
  • intel MoBo with i5 i5-4570S, 32 GB Ram
  • dhcp and dns server installed somwhere in 2017
  • upgraded from 15.1->15.2->15.3->15.4 all with no issues especially regarding ddns
cat /etc/dhcpd.conf
option domain-name "mydom.lan";
option domain-name-servers 192.168.23.4;
option routers 192.168.23.2;
default-lease-time 172800;
authoritative ;
#include "/etc/named.d/updatedns";
#include "/etc/named.d/updatedns";
include "/etc/named.keys";
ddns-update-style interim;
ignore client-updates;
ddns-updates on;
subnet 192.168.23.0 netmask 255.255.255.0 {
  option routers 192.168.23.2;
  option netbios-name-servers 192.168.23.4;
  option domain-name-servers 192.168.23.4;
  option broadcast-address 192.168.23.255;
  option subnet-mask 255.255.255.0;
  interface eth0;
  range 192.168.23.100 192.168.23.200;
  default-lease-time 600;
  max-lease-time 900;
#  zone k23.lan. { primary intra.k23.lan.; key "DHCP_UPDATER"; }
  zone k23.lan. { primary intra.k23.lan.; key DHCP_UPDATER; }
#  zone 23.168.192.in-addr.arpa. { primary intra.k23.lan.; key "DHCP_UPDATER"; }
  zone 23.168.192.in-addr.arpa. { primary 127.0.0.1; key DHCP_UPDATER; }
  host gateway {
    fixed-address 192.168.23.1;
    hardware ethernet b8:27:eb:d2:44:b7;
  }
  host intra {
    fixed-address 192.168.23.4;
    hardware ethernet 88:07:4B:E6:BC:A3;
  }
  host mpc5503 {
    fixed-address 192.168.23.156;
    hardware ethernet 00:26:73:79:94:D6;
  }
  host gw {
    fixed-address 192.168.23.2;
    hardware ethernet 00:e0:4c:68:03:ca;
  }
}

cat /etc/sysconfig/dhcpd | grep INCLUDE_FILES=            
DHCPD_CONF_**INCLUDE_FILES=**"/etc/dhcpd.d /etc/named.d/updatedns /etc/named.keys" 
DHCPD6_CONF_**INCLUDE_FILES=**"/etc/dhcpd6.d"

cat /etc/named.conf
options { 
       directory "/var/lib/named"; 
       managed-keys-directory "/var/lib/named/dyn/"; 

       dump-file "/var/log/named_dump.db"; 
        statistics-file "/var/log/named.stats"; 

       listen-on-v6 { any; }; 

       notify no; 

        disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; 
        include "/etc/named.d/forwarders.conf"; 
        listen-on { 127.0.0.1; 192.168.23.4; }; 
}; 

[FONT=monospace]# Include the meta include file generated by ***createNamedConfInclude***.  This 
# includes all files as configured in ***NAMED_CONF_INCLUDE_FILES*** from 
# ***/etc/sysconfig/named***




#include "/etc/named.keys" 
zone "." in { 
        type hint; 
        file "root.hint"; 
}; 

zone "localhost" in { 
        type master; 
        file "localhost.zone"; 
}; 

zone "0.0.127.in-addr.arpa" in { 
        type master; 
        file "127.0.0.zone"; 
}; 

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" in { 
        type master; 
        file "127.0.0.zone"; 
}; 

zone "mydom.lan" in { 
        allow-transfer { none; }; 
        file "dyn/k23.lan"; 
        type master; 
#       allow-update { key "DHCP_UPDATER"; }; 
        allow-update { key DHCP_UPDATER; }; 
}; 
zone "23.168.192.in-addr.arpa" in { 
        file "dyn/23.168.192.in-addr.arpa"; 
        type master; 
#       allow-update { key "DHCP_UPDATER"; }; 
        allow-update { key DHCP_UPDATER; }; 
        allow-transfer { none; }; 
}; 
logging { 
        category xfer-in { log_file; }; 
        channel log_file { file "/var/log/zoneupdates" size 10M; }; 
        category default { log_file; }; 
}; 
acl goodclients { 192.168.0.0/24; localhost; localnets; }; [/FONT]
cat /etc/sysconfig/named | grep NAMED_CONF_INCLUDE_FILES= 
**NAMED_CONF_INCLUDE_FILES=**"/etc/named.d/updatedns /etc/named.keys"
 

The lines commented out are the only manual changes I did, as I usually use Yast to manga my stuff. Note the line ># zone k23.lan. { primary intra.k23.lan.; key “DHCP_UPDATER”; }< , where I deleted the quotes in an attempt to bring the functionality back up - in vain. The key DHCP_UPDATER was created yesterday, following this guide. The mentionned script >genDDNSkey< was used, which is what I guess also the case if using through “YAST DNS| TSig keys | generate new TSIG key” (not sure, if I am right, though).

I ask myself,

  • named.conf: if >managed-keys-directory “/var/lib/named/dyn/”;< has something to do with my problem?
  • do I have to copy “/etc/named.keys” somewhere?

In short, I need help to resolve this.
Thanks a ton in advance
chris

There are several tools that assist with dynDNS. Some even encrypt DNS. You might find this article helpful. One of the DNS tools it mentions is openDNS.

https://en.opensuse.org/SDB:Configure_DNS

Jonathan_R

Thanks for your reply. The problem I have is in local dynamic dns update only. I do not have any problem, resolving names of the internet. I just want my clients in my local lan to be registered through local dhcpd for local name resolution.

Maybe the title of my post is misleading “DynDNS” as opesed to “DDNS”?

I’ll try to update the title accordingly, if possible.

Greez
chris

The first thing to check is bind logs. dhcpd just reports status it got from bind.

arvijaar, I get this

cat zoneupdates | grep TSIG | tail -n 5 
client @0x7fef7536fb08 192.168.23.4#50885: request has invalid signature: TSIG dnsupdate: tsig verify failure (BADKEY) 
client @0x7fef7536fb08 192.168.23.4#50885: request has invalid signature: TSIG dnsupdate: tsig verify failure (BADKEY) 
client @0x7fef7536fb08 192.168.23.4#50885: request has invalid signature: TSIG dnsupdate: tsig verify failure (BADKEY) 
client @0x7fef7533bfa8 192.168.23.4#50885: request has invalid signature: TSIG dnsupdate: tsig verify failure (BADKEY) 
client @0x7fef7536fb08 192.168.23.4#50885: request has invalid signature: TSIG dnsupdate: tsig verify failure (BADKEY)

Seems I have to follow up on key “dnsupdate”.

I’ll be back soon, hopefully

greez
chris

Did the following:

genDDNSkey -f DHCP_UPDATER -d /etc/named.d

in YAST I changed all references to >DHCP_UPDATER< (note, no “”), restarted named and dhcpd.
Still same story:

[FONT=monospace]cat zoneupdates | grep TSIG | tail -n 5 
client @0x7f15c800dae0 192.168.23.4#12935: request has invalid signature: TSIG dhcp_updater: tsig verify failure (BADKEY) 
client @0x7f15c800dae0 192.168.23.4#12935: request has invalid signature: TSIG dhcp_updater: tsig verify failure (BADKEY) 
client @0x7f15c800dae0 192.168.23.4#12935: request has invalid signature: TSIG dhcp_updater: tsig verify failure (BADKEY) 
client @0x7f15c800dae0 192.168.23.4#12935: request has invalid signature: TSIG dhcp_updater: tsig verify failure (BADKEY) 
client @0x7f15c800dae0 192.168.23.4#12935: request has invalid signature: TSIG dhcp_updater[/FONT][FONT=monospace]: tsig verify failure (BADKEY)

What puzzles me is >[FONT=monospace][FONT=monospace][FONT=monospace]dhcp_updater[/FONT][/FONT][/FONT]< in miniscules, while I specified it in majuscles, see above. Could be, it should be in miniscules only?

greez
chris

[/FONT]

here is an excerpt of an old (April 2022) logfile:

client 192.168.23.4#57672/key dnsupdate: signer "dnsupdate" approved
client 192.168.23.4#57672/key dnsupdate: updating zone 'k23.lan/IN': adding an RR at 'lc1512.k23.lan' A
client 192.168.23.4#57672/key dnsupdate: updating zone 'k23.lan/IN': adding an RR at 'lc1512.k23.lan' TXT

here is an excerpt of the recent logfile:

client @0x7fef7536fb08 192.168.23.4#50885: request has invalid signature: **TSIG** dnsupdate: tsig verify failure (BADKEY) 
client @0x7fef7536fb08 192.168.23.4#50885: request has invalid signature: **TSIG** dnsupdate: tsig verify failure (BADKEY) 
client @0x7fef7536fb08 192.168.23.4#50885: request has invalid signature: **TSIG** dnsupdate: tsig verify failure (BADKEY) 
client @0x7fef7533bfa8 192.168.23.4#50885: request has invalid signature: **TSIG** dnsupdate: tsig verify failure (BADKEY) 
client @0x7fef7536fb08 192.168.23.4#50885: request has invalid signature: **TSIG** dnsupdate: tsig verify failure (BADKEY)

It a) proofs, that it used to work (April 22), b) with key dnsupdate, and c) in combination with the log from June, it failed with the same key.

I am still stuck at very same point.

greez
chris

You can not change the original title, only that of your later posts. I did it for you.

Henk
Thanks a TON!
greez
chris

Meanwhile, I tried all sorts of ways to generate a keyfile:

  • genDDNSkey
  • tsig-keygen -a hmac-md5
  • dnssec-keygen -a dh

to no avail.

I also tried permissions on the keyfile, but that should not matter

ll /etc/named.d
-rw-r--r-- 1 root root   245 15. Okt 16:15 /etc/named.d/dhcpupdate
-rw-r----- 1 root named  148 15. Okt 14:29 /etc/named.d/dhcp_updater
-rw-r--r-- 1 root root    79 15. Okt 17:17 /etc/named.d/dhcpupddns.key
-rw-r--r-- 1 root root   428 15. Okt 16:00 /etc/named.d/Kdhcpupdate.+005+05683.key
-rw------- 1 root root  1010 15. Okt 16:00 /etc/named.d/Kdhcpupdate.+005+05683.private
-rw-r--r-- 1 root root    87 15. Okt 16:34 /etc/named.d/Kmy.dns.update.key.+002+09729.key
-rw------- 1 root root   255 15. Okt 16:34 /etc/named.d/Kmy.dns.update.key.+002+09729.private
-rw-r--r-- 1 root root   118 15. Okt 16:37 /etc/named.d/my.dns.update.key
-rw-r----- 1 root named  148 15. Okt 16:53 /etc/named.d/updatedns.key

Still the same.
need to take a break
greez
chris

Hi all

Meanwhile, I added manual entries in the zone files. For now, the most vital stuff is working. But that cannot be the final solution. I develop measurement appliances to monitor buildings and machines. Thus, I frequently have new boxes on the table, some times up to 10 at a time. Doing everything manually, that used to work so nicely automagically ist tidious, error prone and time consuming.

I really need help with this. Can’t figure out, where it is blocked.

Greez
chris

Hi all
Still stuck!
Is there a way to verify what key named is really using?
Greez
chris

edit:

dig DNSKEY k23.lan. @localhost +multiline

; <<>> DiG 9.16.31 <<>> DNSKEY k23.lan. @localhost +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41213
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: b5a5d442360321c201000000634d6494ed77a233c2794773 (good)
;; QUESTION SECTION:
;k23.lan. IN DNSKEY

;; AUTHORITY SECTION:
k23.lan. 86400 IN SOA intra. root.intra. (
2022101700 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Oct 17 16:20:04 CEST 2022
;; MSG SIZE rcvd: 110

does not seem to help

Hi all

If someone has this working, could you kindly post the result of

cat /etc/named.d/dnsupdate.key | grep -Ei "algo|"
**key** "dnsupdate" {
        algorithm hmac-sha512;

where “dnsupdate.key” should be replaced by the name of the key file you use.

Reasoning: I suspect OS 15.4 named.d ddns functionality to be limited to a certain algorithm and am not sure about the quotes.

Greez
chris

Hi all
Got it working in a virtualbox Opensuse 15.3 vm. It fails in a Opensuse 15.4 vm, though.

I start to think, it could be a bug in 15.4?!

What was done:
[ol]
[li]2 virtual box vms, as mentioned one based on 15.3, the other based on 15.4[/li][li]both vms set up identically:[/li][LIST=1]
[li]changed network setting to use wicked instead of network manager[/li][li]Yast DNS Server dialog,[/li][ul]
[li]all settings default[/li][li]domain test.site[/li][li]forward zone test.site[/li][li]reverse zone 0.20.10.in-addr.arpa[/li][li]nameserver in both os 15xvm.test.site[/li][li]switched to expert config[/li][li]created TSIG key “ddnsupdate” with file “ddnsupdate.key”[/li][li]both zones with dynamic updates enabled[/li][li]logging zoneupdates to /var/log/zoneupdates[/li][li]chown named.named /var/log/zoneupdates[/li][li]systemctl start named[/li][li]verified it is running on both machines (systemctl status named)[/li][/ul]

[/ol]

[li]test with nsupdate[/li]

cat nsupdate.txt 
server localhost 
zone test.site 
update add somthing.test.site. 600 A 10.2.0.20 
show 
send

run the test under 15.4:

nsupdate -k ddnsupdate.key -v nsupdate.txt 
Outgoing update query: 
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0 
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 
;; ZONE SECTION: 
;test.site.                     IN      SOA 

;; UPDATE SECTION: 
somthing.test.site.     600     IN      A       10.2.0.20 

; TSIG error with server: tsig indicates error 
update failed: NOTAUTH(BADKEY)

under 15.3

nsupdate -k ddnsupdate.key -v nsupdate.txt
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;test.site.                     IN      SOA

;; UPDATE SECTION:
somthing.test.site.     600     IN      A       10.2.0.20

host somthing.test.site 
somthing.test.site has address 10.2.0.20

[li]Verify named.conf:[/li]

named-checkconf

created stripped /etc/named.conf file for both vm’s:

cat /etc/named.conf | grep -v "#" | sed '/^$/d' | sed 's/^[ 	]*\(.*$\)/\1/'
> 15.4.stripped 

transferred file 15.3.stripped to 15.4 vm,
then did

diff 15.3.stripped 15.4.stripped                      

[FONT=monospace]1a2 
> stale-answer-enable no; 
4,5c5,6 
< dump-file "/var/log/named_dump.db"; 
< statistics-file "/var/log/named.stats"; 
--- 
> dump-file "/var/log/named/dump.db"; 
> statistics-file "/var/log/named/stats"; 
8a10 
> geoip-directory none; 
27,33d28 
< include "/etc/named.conf.include"; 
< zone "test.site" in { 
< file "dyn/test.site"; 
< type master; 
< allow-update { key "ddnsupdate"; }; 
< allow-transfer { any; }; 
< }; 
37a33,38 
> }; 
> zone "test.site" in { 
> allow-update { key "ddnsupdate"; }; 
> allow-transfer { any; }; 
> file "dyn/test.site"; 
> type master;
[/FONT]

[li]The very named.conf files:[/li]15.3:

cat /etc/named.conf | grep -v "#" | sed '/^$/d'
[FONT=monospace]options { 
        directory "/var/lib/named"; 
        managed-keys-directory "/var/lib/named/dyn/"; 
        dump-file "/var/log/named_dump.db"; 
        statistics-file "/var/log/named.stats"; 
        listen-on-v6 { any; }; 
        notify no; 
        disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; 
        include "/etc/named.d/forwarders.conf"; 
}; 
zone "." in { 
        type hint; 
        file "root.hint"; 
}; 
zone "localhost" in { 
        type master; 
        file "localhost.zone"; 
}; 
zone "0.0.127.in-addr.arpa" in { 
        type master; 
        file "127.0.0.zone"; 
}; 
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" in { 
        type master; 
        file "127.0.0.zone"; 
}; 
include "/etc/named.conf.include"; 
zone "test.site" in { 
        file "dyn/test.site"; 
        type master; 
        allow-update { key "ddnsupdate"; }; 
        allow-transfer { any; }; 
}; 
logging { 
        category xfer-in { log_file; }; 
        category default { log_file; }; 
        channel log_file { file "/var/log/zoneupdates" size 0M; }; 
}; 
zone "0.2.10.in-addr.arpa" in { 
        allow-update { key "ddnsupdate"; }; 
        allow-transfer { any; }; 
        file "dyn/0.2.10.in-addr.arpa"; 
        type master; 
};
[/FONT]

15.4:

cat /etc/named.conf | grep -v "#" | sed '/^$/d'

[FONT=monospace]options { 
        stale-answer-enable no; 
        directory "/var/lib/named"; 
        managed-keys-directory "/var/lib/named/dyn/"; 
        dump-file "/var/log/named/dump.db"; 
        statistics-file "/var/log/named/stats"; 
        listen-on-v6 { any; }; 
        notify no; 
        disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; 
        geoip-directory none; 
        include "/etc/named.d/forwarders.conf"; 
}; 
zone "." in { 
        type hint; 
        file "root.hint"; 
}; 
zone "localhost" in { 
        type master; 
        file "localhost.zone"; 
}; 
zone "0.0.127.in-addr.arpa" in { 
        type master; 
        file "127.0.0.zone"; 
}; 
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" in { 
        type master; 
        file "127.0.0.zone"; 
}; 
logging { 
        category xfer-in { log_file; }; 
        category default { log_file; }; 
        channel log_file { file "/var/log/zoneupdates" size 0M; }; 
}; 
zone "test.site" in { 
        allow-update { key "ddnsupdate"; }; 
        allow-transfer { any; }; 
        file "dyn/test.site"; 
        type master; 
}; 
zone "0.2.10.in-addr.arpa" in { 
        allow-update { key "ddnsupdate"; }; 
        allow-transfer { any; }; 
        file "dyn/0.2.10.in-addr.arpa"; 
        type master; 
};
[/FONT]

[li]Key files:[/li]15.3:

cat ddns*          
key "ddnsupdate" { 
        algorithm hmac-sha512; 
        secret "/b02wOPr2KIPXgDwIReefU0FamwBwywEYj96D3xtuzoeJonMI2aambxxcW9ZqXXweLFEncWag7PDmH1uXeTbaw=="; 
};

15.4:

cat ddns* 
key "ddnsupdate" { 
        algorithm hmac-sha512; 
        secret "z5EXIRilaKNBJp/r2qJRyNU42LRlOS9coyUoQ1Xncvml4GoGeTFZfD6JTJJ0NOPT9xaReZ6g4b1yR2pY5vLrUw=="; 
};

[/LIST]
Honestly, I cannot see any relevant difference, but maybe I am too deep in. Can naybody else?

greez
chris

Hi all
Sad, I got no help.

on 15.3

 rndc tsig-list 
view "_default"; type "static"; key "ddnsupdate"; 
view "_default"; type "static"; key "local-ddns"; 
view "_bind"; type "static"; key "ddnsupdate"; 
view "_bind"; type "static"; key "local-ddns";

on 15.4

rndc tsig-list 
view "_default"; type "static"; key "local-ddns"; 
view "_bind"; type "static"; key "local-ddns";

So… 15.4 does not know about the key “ddnsupdate”. Thus, no wonder, zone updates through nsupdate fail!

Now, the 1 million dollar question is: why does the 15.4 vm NOT know about the key?

greez
chris

Hi all

I think I got it sorted out! :slight_smile:

In opensuse 15.4, ddns-updated keys are located in /etc/named.d. By default, the key is NOT included in the config file /etc/named.conf but in /etc/sysconfig/named:

cat /etc/sysconfig/named | grep update 
NAMED_CONF_INCLUDE_FILES="/etc/named.d/ddns-**update**.key"

If you stop there, your named wont see the key and ddns functionality is defunct. You need to:

echo "include \"/etc/named.conf.include\"; " >> [FONT=monospace]/etc/named.conf
echo "[FONT=monospace]include \"[FONT=monospace]/etc/named.d/ddns-update.key[/FONT][/FONT][/FONT][FONT=monospace][FONT=monospace]\"; " >> [FONT=monospace]/etc/named.conf[/FONT][/FONT][/FONT][FONT=monospace][FONT=monospace][FONT=monospace][FONT=monospace][FONT=monospace][FONT=monospace].include
# replace [/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][FONT=monospace][FONT=monospace][FONT=monospace][FONT=monospace][FONT=monospace][FONT=monospace][FONT=monospace][FONT=monospace][FONT=monospace][FONT=monospace][FONT=monospace][FONT=monospace][FONT=monospace][FONT=monospace]ddns-update.key with your key file name[/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][/FONT]
chown root.named /etc/named.conf.include
[/FONT]named-checkconf[/FONT]
[FONT=monospace]systemctl restart named
rndc tsig-list[/FONT]

if all went well, you should see:

view "_default"; type "static"; key "ddns-update"; 
view "_default"; type "static"; key "local-ddns"; 
view "_bind"; type "static"; key "ddns-update"; 
view "_bind"; type "static"; key "local-ddns";

Don’t forget to configure your dhcpd to use the correct key (in my case “ddns-update”). Now your dhcpd should be able to update your dns zones. A successful message:

Okt 19 10:48:39 intra dhcpd[21194]: Added new forward map from audio.k23.lan to 192.168.23.171

I think, this is a quirk only - but at least it is working for me. I have a strong feeling, there is something wrong in Opensuse 15.4 DNS server package, regarding the handling of the ddns key file.

Greez
chris