Hi! I make some test to transfer zones from PDNS using TSIG. The strange thing is, that AXFR + TSIG always works. But querying PDNS using TSIG most of the time results in TSIG errors, e.g:
I query with: dig @xx.xx.xx.x www.tld-box.com A -y test:TpCdBiXZ.... successful query: 17:25:25 Query: select algorithm, secret from tsigkeys where name=E'test' 17:25:25 Query: SELECT content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM records WHERE disabled=false and type='SOA' and name=E'www.tld-box.com' 17:25:25 Query: SELECT content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM records WHERE disabled=false and type='SOA' and name=E'tld-box.com' 17:25:25 Query: SELECT content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM records WHERE disabled=false and type='NS' and name=E'www.tld-box.com' and domain_id=219708 17:25:25 Query: SELECT content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM records WHERE disabled=false and name=E'www.tld-box.com' and domain_id=219708 17:25:25 Query: SELECT content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM records WHERE disabled=false and name=E'*.tld-box.com' and domain_id=219708 failing query: 17:25:32 Query: select algorithm, secret from tsigkeys where name=E'test' 17:25:32 Packet for domain 'www.tld-box.com' denied: TSIG signature mismatch using 'test' and algorithm 'hmac-md5.sig-alg.reg.int.' I tested with different clients: dig, bind, drill -> same result I tested with MD5 and SHA256 HMAC -> same result I tested with self-built PDNS-3.4.8 on Ubuntu 10.4 and PowerDNS' static build of 3.4.8 on Ubuntu 10.4 -> same result I tested SOA/A queries and AXFR with TSIG: AXFR always work, SOA/A queries mostly fail. I tested against a self-built PDNS 4.0 (quite old) and there it seems to work. Any ideas what could be the problem? Was there something related fixed in PDNS 4.0? Thanks Klaus _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
