I'm losing track of all my own attempts :-/ So a quick summary:
I've set up my bind9 server to listen on 10.1.1.53 & 127.0.0.1.
transfers are ONLY allowed with TSIG. testing from shell on the same box,
dig -b 127.0.0.1 axfr example.com @127.0.0.1
; <<>> DiG 9.11.0-P1 <<>> -b 127.0.0.1 axfr example.com
@127.0.0.1
;; global options: +cmd
; Transfer failed.
dig -b 127.0.0.1 axfr example.com @127.0.0.1 -k
/usr/local/etc/named/keys/ods.key
; <<>> DiG 9.11.0-P1 <<>> -b 127.0.0.1 axfr example.com
@127.0.0.1 -k /usr/local/etc/named/keys/ods.key
...
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 26 16:24:32 PST 2016
;; XFR size: 19 records (messages 1, bytes 1902)
since ODS2 is on the same box, it should be communicating for axfr only on
localhost. it is, with config
cat conf.xml
...
<Signer>
<Listener>
<Interface>
<Address>127.0.0.1</Address>
<Port>15354</Port>
</Interface>
<Interface>
<Address>10.1.1.53</Address>
<Port>15354</Port>
</Interface>
</Listener>
<Privileges>
...
and
cat addns.xml
<?xml version="1.0" encoding="UTF-8"?>
<Adapter>
<DNS>
<TSIG>
<Name>ods-key</Name>
<Algorithm>hmac-sha256</Algorithm>
<Secret>xxx...xxx</Secret>
</TSIG>
<Inbound>
<RequestTransfer>
<Remote>
<Address>127.0.0.1</Address>
<Port>53</Port>
<Key>ods-key</Key>
</Remote>
</RequestTransfer>
<AllowNotify>
<Peer>
<Prefix>127.0.0.1</Prefix>
<Key>ods-key</Key>
</Peer>
</AllowNotify>
</Inbound>
...
</DNS>
</Adapter>
...
signerd listens as configured
netstat -npla|grep :15354
tcp 0 0 10.1.1.53:15354 0.0.0.0:*
LISTEN 14482/ods-signerd
tcp 0 0 127.0.0.1:15354 0.0.0.0:*
LISTEN 14482/ods-signerd
udp 0 0 10.1.1.53:15354 0.0.0.0:*
14482/ods-signerd
udp 0 0 127.0.0.1:15354 0.0.0.0:*
14482/ods-signerd
and axfr from bind works as expected
/usr/local/opendnssec/sbin/ods-signer retransfer example.com
Zone example.com being re-transfered.
tail -f opendnssec.log
...
Dec 26 16:32:23 dns ods-signerd: [xfrd] zone example.com
request axfr to 127.0.0.1
Dec 26 16:32:23 dns ods-signerd: [xfrd] zone example.com
transfer done [notify acquired 0, serial on disk 1482770644, notify serial 0]
at this point, if --out-type == file, the zone's signed to
/var/opendnssec/signed/example.com
notify mail, containing the new key, is sent/received correctly via a
"<DelegationSignerSubmitCommand>" script, and we're done.
But, if --out-type == DNS, with add'l config
cat addns.xml
<Adapter>
<DNS>
...
<Outbound>
<ProvideTransfer>
<Peer>
<Prefix>10.2.2.53</Prefix>
<Key>ods-key</Key>
</Peer>
</ProvideTransfer>
<Notify>
<Remote>
<Address>10.2.2.53</Address>
<Port>53</Port>
</Remote>
</Notify>
</Outbound>
</DNS>
</Adapter>
signing fails
tail -f opendnssec.log
...
Dec 26 16:32:26 dns ods-signerd: [notify] unable to send data
over udp to 10.2.2.53: sendto() failed (Invalid argument)
Dec 26 16:32:26 dns ods-signerd: [notify] unable to send notify
retry 1 for zone example.com to 10.2.2.53: notify_send_udp() failed
which leads to this bug report
"error logging for failed ods-signer remote NOTIFY reports only
"sendto() failed (Invalid argument)", no additional detail"
https://issues.opendnssec.org/browse/SUPPORT-206
I think 1st order of biz is to fix the "Invalid argument" as in the bug, and
find out what the sendto() error *is* ...
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
