> From shell on the same box, a cmd-line transfer request
>
> dig -b 127.0.0.1 axfr example.com @127.0.0.1
This one doesn't use TSIG. If it did, you'd be using the -y option.
> In opendnssec's addns.xml, I've config'd,
>
> <?xml version="1.0" encoding="UTF-8"?>
> <Adapter>
> <DNS>
> <TSIG>
> <Name>ods-key</Name>
> <Algorithm>hmac-sha256</Algorithm>
> <Secret>xxx...xxx</Secret>
> </TSIG>
You've configured OpenDNSSEC to use TSIG. You then need to make
the corresponding configuration on your BIND name server to
recognize that key, in the form
key ods-key {
algorithm hmac-sha256;
secret "xxx...xxx";
};
> Dec 25 11:41:16 dns ods-signerd: [xfrd] bad packet: zone example.com
> received error code NOTAUTH from 127.0.0.1
This is a hint.
> Dec 25 11:41:16 dns ods-signerd: [xfrd] zone example.com, from
> 127.0.0.1 has tsig error (Bad Key)
And this is the smoking gun.
Regards,
- HÃ¥vard
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
