Setup: A aerver jail running "bind916-9.16.34_1": A client jail running "bind-tools" The client app sends changes to a dynamic zone via "nsupdate" to the server. I was upgrading the client jail: Installed packages to be UPGRADED: bind-tools: 9.18.7 -> 9.18.8 bind916: 9.16.33_1 -> 9.16.34_1 The packages where build with: /etc/make.conf DEFAULT_VERSIONS+= ssl=openssl After the upgrade, nsupdate failed with: /usr/local/bin/nsupdate -k '/usr/local/etc/namedb/Kexample.com.dyn.+157+56215.key' 04-Nov-2022 09:54:01.525 /usr/local/etc/namedb/Kexample.com.dyn.+157+56215.key:1: unknown option 'example.com.dyn.' 04-Nov-2022 09:54:01.525 /usr/local/etc/namedb/Kexample.com.dyn.+157+56215.key:2: unexpected token near end of file could not read key from /usr/local/etc/namedb/Kexample.com.dyn.+157+56215.{private,key}: unexpected token update failed: REFUSED After downgrading both packages, everything works again. diff of "pkg info bind-tools" -bind-tools-9.18.7 +bind-tools-9.18.8 -Version : 9.18.7 +Version : 9.18.8 Options : - GSSAPI_BASE : off - GSSAPI_HEIMDAL : off - GSSAPI_MIT : off - GSSAPI_NONE : on + GSSAPI_BASE : off + GSSAPI_HEIMDAL : off + GSSAPI_MIT : off + GSSAPI_NONE : on Shared Libs provided: - libns-9.18.7.so - libisccfg-9.18.7.so - libisccc-9.18.7.so - libisc-9.18.7.so - libirs-9.18.7.so - libdns-9.18.7.so - libbind9-9.18.7.so + libbind9-9.18.8.so + libdns-9.18.8.so + libirs-9.18.8.so + libisc-9.18.8.so + libisccc-9.18.8.so + libisccfg-9.18.8.so + libns-9.18.8.so Annotations : + cpe : cpe:2.3:a:isc:bind:9.18.8:::::freebsd12:x64 - cpe : cpe:2.3:a:isc:bind:9.18.7:::::freebsd12:x64 -Flat size : 9.37MiB +Flat size : 9.38MiB I found nothing related in the upstream Changelogs for 9.16 ann 9.18
Same problem after upgrading to bind-tools-9.18.9 reverting to bind-tools-9.18.7 fixed the problem.
As nothing changed in the port itself, I don't see how could be related to the update, have you opened an issue upstream ?
I failed to create an issue upstream, my account had been expired. The issue does happen with older key keys. Newly generated key files do work for now. Keys with "algorithm hmac-md5" can no longer be used. Sadly there was no documentation upstream about this. Reverting to older openssl did not had any effect.
Just tried with version 9.18.14: the issue still persists.
I just tried version 9.18.19 and it works again now, even if the command outputs this warning message: "Use of K* file pairs for HMAC is deprecated". Thus I think this issue can be closed.