Hello Matthijs, yes, "hmac-md5.sig-alg.reg.int" works far better... So, now, TSIG works, thanks.
On Wed, Mar 03, 2010 at 03:09:57PM +0100, Matthijs Mekking wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Pierre, > > hmac-md5 is not a valid algorithm identifier. > Please use hmac-md5.sig-alg.reg.int > > I'll add code that accepts the string 'hmac-md5' in the zonefetch as well. > > Best regards, > > Matthijs > > Pierre LEBRECH wrote: > > Thanks Matthijs, > > > > here is what the log tell : > > > > ############################ snip > > Mar 3 10:55:27 rdb zone_fetcher: zone fetcher received NOTIFY for zone > > titi.fr > > Mar 3 10:55:27 rdb zone_fetcher: zone fetcher failed to start axfr: > > Could not create TSIG signature > > Mar 3 10:55:27 rdb zone_fetcher: AXFR for zone 'titi.fr' failed > > ############################ snip > > > > The BIND used is 9.6.1-P3 > > > > > > Matthijs Mekking wrote : > >> There is a statement in the KNOWN_ISSUES file about TSIG > >> incompatibility, due to BIND9's cryptographic library. However, that > >> should not affect MD5. > >> > >> Does the syslog inform you why the transfer failed? > >> Can you perhaps share the zonefetch.xml (off list)? > >> > >> Best regards, > >> > >> Matthijs Mekking > >> NLnet Labs > >> > >> Pierre LEBRECH wrote: > >>> Hello, > >>> When I configure ODS to make AXFR without TSIG, zone_fetcher can > >> transfer the zone. But if I use TSIG, it can not. > >> > >>> I tried a manual dig with TSIG and it worked, but within ODS it didn't. > >>> So, where should I look to correct this? > >>> Here is my TSIG statement within zonefetch.xml : > >>> <TSIG> > >>> <Name>hidden-ods</Name> > >>> <Algorithm>hmac-md5</Algorithm> > >>> > >> <Secret>y7ZSL+SXOglczotXGiYxTS2zhMu34QnjCGx0aYg4TqjOyrEsuL9+ZsmLhaHB/QJQeoU63mOyVeqtfTwBxU8oxA==</Secret> > >>> </TSIG> > >>> The name "hidden-ods" is the BIND TSIG key name. > >>> Thanks > >>> _______________________________________________ > >>> Opendnssec-user mailing list > >>> [email protected] > >>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > > > > _______________________________________________ > > Opendnssec-user mailing list > > [email protected] > > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iQEcBAEBAgAGBQJLjm2zAAoJEA8yVCPsQCW5hxsH/34pmOMhKlGONN7WIlrUDNOE > Ale94I5sV6dEqpaD1wgpW52TM521z99zGSs0Z5nuJabFq1/h5BazNibOUkEakhCl > c/pP6XbQSzBg1+WWkeTUk9twguAK9vRNFSUkWRWIqis2huX1+gYiPak9w+AgGZNx > QXVKqOmrUNIH5XCKyhAdY/GIdlOzRsuT3R31eMxhZkj/pNoG9chkDM+Xr17O51k0 > +JaPWOXYB5OAQgp5BTRLCtReDW0oJcENp3LjvLXeulS8OKOK2zdPGC47apXWu4UG > xkYnwBLyVsD/LZmf9fx+2MEF157Jm7CCwto62Z8L1T+r0UdQgim6gNPGX5LYKbU= > =FSO6 > -----END PGP SIGNATURE----- > -- -- ***************************** Richard NAGY Nameshield 27 rue des Arènes F-49100 Angers Tél : +33 2 41 18 28 28 Fax : +33 2 41 18 28 29 ***************************** Empreinte GnuPG : 143C 5220 45CA 2C7F 24C8 6811 E859 C2CA BECB 2EC0 _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
