dynamic dns update - request has invalid signature - TSIG

[TonyErcolano]

Using latest stable builds of bind and dhcp server. Kernel is 2.6.23.8

dns server is protected by a firewall. Authoritive for several zones. Can handle name lookup requests just dandy and has for years.

dhcp server not protected by firewall, part of local non-routing address space: 10.0.0.x

Trying to add dynamic dns updates from the local dhcp server to the dns server. USING TSIG for security.

Both the "public" dns server and the dhcp server get their times from the same ntp server and do appear to be in "sync".

If the dhcp server attempts to add the newly handed out ip address (and name) to the dns server the dhcp (and the dns server) report failure.
On the dhcp server we get log messages of the form:

Unable to add forward map from dhcp-10-0-0-184.bogus-for-example.domain to 10.0.0.184: bad DNS signature.

On the dns server we see messages of the form:

client xxx.xxx.xxx.xxx#25112: request has invalid signature: TSIG a-tseg-key-name: tsig verify failure (BADSIG)

Very depressing.

Now, doing this by "hand" using nsupdate on the dhcp server machine I get the same errors. This makes sense.

However, if on the DNS server machine I run nsupdate with the EXACT same commands, the update is accepted!

Note that back on the dhcp server machine if I run DIG using the same keyname and secret to download zone data it works just fine.
I mention this because at the very least the key processing code is compatable between both the dhcp and the dns servers.

If anyone has any thoughts I would love to hear them.

Thanks in advance!
Tony