On 12/25/2016 02:41 PM, Havard Eidnes wrote:
>> From shell on the same box, a cmd-line transfer request
>>
>> dig -b 127.0.0.1 axfr example.com @127.0.0.1
>
> This one doesn't use TSIG. If it did, you'd be using the -y option.
Actually, that was simply to verify AXFR transferability & connection ...
>From cmd line @ shell,
dig -b 127.0.0.1 axfr example.com @127.0.0.1 -y hmac-sha256:ods-key:xxx...xxx
works as well.
AND, I see the traffic in tcpdump, as above.
> You've configured OpenDNSSEC to use TSIG. You then need to make
> the corresponding configuration on your BIND name server to
> recognize that key, in the form
>
> key ods-key {
> algorithm hmac-sha256;
> secret "xxx...xxx";
> };
Yes, and it's included. I transfer to/from other nameservers, using other
keys, with no issue.
>> Dec 25 11:41:16 dns ods-signerd: [xfrd] bad packet: zone example.com
>> received error code NOTAUTH from 127.0.0.1
>
> This is a hint.
>
>> Dec 25 11:41:16 dns ods-signerd: [xfrd] zone example.com, from
>> 127.0.0.1 has tsig error (Bad Key)
>
> And this is the smoking gun.
I'm not convinced that it is.
I'd expect that there's SOME traffic shown via tcpdump in the ods2 usages case,
EVEN IF it's NOTAUTH'd. Unfortunately, it's not.
Unless there's a reason I've missed/misunderstood why traffic WOULD show up
when invoking AXFR from the cmd line, but not when invoked by ODS2 ...
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
