Hi all Due to circumstances beyond my control a remote partner needs to use a 9.9.9 version of bind and we are required to use HMAC-MD5 for zone transfers. There is no (big) security concern since the networks are isolated and not exposed to the larger Internet.
When the secondary requests an AXFR I see: client @0xxxxxxxxxxxxx nnn.nnn.nnn.nnn#xxxxxx: request has invalid signature: TSIG <KEY>: tsig verify failure (BADSIG) Doing a dig directly (with the same key) I get the zone: client @0xxxxxxxxxxxxx nnn.nnn.nnn.nnn#xxxxxx /key <KEY> (zone.tld): transfer of 'zone.tld/IN': AXFR started: TSIG <KEY> (serial nnnn) Is there any known incompatibilities - preferably with workarounds :) - that anyone knows about? I apologize in advance if the info is lacking but here are, what I consider, the relevant parts from named.conf: key "<KEY>." { algorithm hmac-md5; secret "XXXXXXXXXXXXXXXXXXXXXX"; }; acl servers { nnn.nnn.nnn.nnn; nnn.nnn.nnn.nnn; nnn.nnn.nnn.nnn; }; acl transfer { !servers; !localhost; !nnn.nnn.nnn.nnn; any; }; zone "zone.tld." IN { type master; file "/etc/bind/zones/zone.file"; allow-transfer { !transfer; key <KEY>.; }; }; Again - sorry if this is insufficient information. It could be as simple as the remote not having everything in order but they swear up and down that they have checked, doublechecked and enlisted multiple persons in doing the checks. I would appreciate any and all hints even if they are farfetched. Best Regards Patrik Graeser
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users