Package: bind9 Version: 1:9.7.3.dfsg-1~squeeze2 Severity: normal After upgrade from version 1:9.7.3.dfsg-1~squeeze1 dhcp updates start to fail with syslog messages like: > Jun 29 09:10:35 xuxa dhcpd: DHCPOFFER on 192.168.37.234 to 64:31:50:64:bd:ad > (DHCP-POR2) via eth0 > Jun 29 09:10:35 xuxa named[27763]: client 127.0.0.1#51206: request has > invalid signature: TSIG rndc-key: tsig verify failure (BADSIG) > Jun 29 09:10:35 xuxa named[27763]: client 138.4.37.12#57189: request has > invalid signature: TSIG rndc-key: tsig verify failure (BADSIG) > Jun 29 09:10:35 xuxa dhcpd: Unable to add forward map from > DHCP-POR2.intranet. to 192.168.37.234: bad DNS signature
even simple rndc status fails as: > xuxa:~# rndc status > rndc: connection to remote host closed > This may indicate that > * the remote server is using an older version of the command protocol, > * this host is not authorized to connect, > * the clocks are not synchronized, or > * the key is invalid. Thanks -- System Information: Debian Release: 6.0.2 APT prefers stable APT policy: (990, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages bind9 depends on: di adduser 3.112+nmu2 add and remove users and groups ii bind9utils 1:9.7.3.dfsg-1~squeeze2 Utilities for BIND di debconf [debconf 1.5.36.1 Debian configuration management sy ii libbind9-60 1:9.7.3.dfsg-1~squeeze2 BIND9 Shared Library used by BIND di libc6 2.11.2-10 Embedded GNU C Library: Shared lib di libcap2 1:2.19-3 support for getting/setting POSIX. di libdb4.8 4.8.30-2 Berkeley v4.8 Database Libraries [ ii libdns69 1:9.7.3.dfsg-1~squeeze2 DNS Shared Library used by BIND ii libgssapi-krb5-2 1.8.3+dfsg-4squeeze1 MIT Kerberos runtime libraries - k ii libisc62 1:9.7.3.dfsg-1~squeeze2 ISC Shared Library used by BIND ii libisccc60 1:9.7.3.dfsg-1~squeeze2 Command Channel Library used by BI ii libisccfg62 1:9.7.3.dfsg-1~squeeze2 Config File Handling Library used ii libldap-2.4-2 2.4.23-7.2 OpenLDAP libraries ii liblwres60 1:9.7.3.dfsg-1~squeeze2 Lightweight Resolver Library used di libssl0.9.8 0.9.8o-4squeeze1 SSL shared libraries ii libxml2 2.7.8.dfsg-2+squeeze1 GNOME XML library di lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip di net-tools 1.60-23 The NET-3 networking toolkit di netbase 4.45 Basic TCP/IP networking system bind9 recommends no packages. Versions of packages bind9 suggests: ii bind9-doc 1:9.7.3.dfsg-1~squeeze2 Documentation for BIND ii dnsutils 1:9.7.3.dfsg-1~squeeze2 Clients provided with BIND di resolvconf 1.46 name server information handler pn ufw <none> (no description available) -- Configuration Files: /etc/bind/named.conf.local changed: // // Do any local configuration here // // Other views zone "gr.ssr.upm.es" { type master; file "/etc/bind/db.gr.ssr.upm.es"; check-names warn; allow-transfer {upm-nets;}; notify yes; }; zone "list.gr.ssr.upm.es" { type master; file "/etc/bind/db.list.gr.ssr.upm.es"; check-names warn; allow-transfer {upm-nets;}; notify yes; }; zone "intranet" { type master; file "/etc/bind/db.intranet"; check-names warn; //allow-update {138.4.37.12;}; allow-update {key rndc-key;}; allow-transfer {our-nets;}; }; zone "wifi" { type master; file "/etc/bind/db.wifi"; check-names warn; allow-transfer {our-nets;}; //allow-update {138.4.37.12;}; allow-update {key rndc-key;}; }; zone "37.4.138.in-addr.arpa" { type master; file "/etc/bind/db.138.4.37"; check-names warn; allow-transfer {upm-nets;}; notify yes; }; zone "37.168.192.in-addr.arpa" { type master; file "/etc/bind/db.192.168.37"; check-names warn; allow-transfer {our-nets;}; //allow-update {138.4.37.12;}; allow-update {key rndc-key;}; }; zone "38.168.192.in-addr.arpa" { type master; file "/etc/bind/db.192.168.38"; check-names warn; allow-transfer {our-nets;}; //allow-update {138.4.37.12;}; allow-update {key rndc-key;}; }; //1.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.e.f.ip6.arpa zone "0.0.0.0.0.0.0.0.0.0.0.0.0.c.e.f.ip6.arpa" { type master; file "/etc/bind/db.ipv6.fce0.0000.0000.0000"; check-names warn; allow-transfer {our-nets;}; allow-update {key rndc-key;}; }; zone "0.0.0.0.0.0.0.0.1.0.0.0.0.c.e.f.ip6.arpa" { type master; file "/etc/bind/db.ipv6.fce0.0001.0000.0000"; check-names warn; allow-transfer {our-nets;}; allow-update {key rndc-key;}; }; // Consider adding the 1918 zones here, if they are not used in your // organization include "/etc/bind/zones.rfc1918"; /etc/bind/named.conf.options changed: acl our-nets { localhost;138.4.37.0/26; 192.168.37/24; 192.168.38.38/24; 138.4.47.43; }; acl upm-nets { localhost;138.4.0.0/16; 138.100.0.0/16; }; include "/etc/bind/rndc.key"; options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; auth-nxdomain no; # conform to RFC1035 //recursion no; allow-recursion {localhost; localnets; 138.4.37.0/25; 192.168.37/24; 192.168.38/24;}; listen-on-v6 { any; }; }; -- debconf information: * bind9/different-configuration-file: * bind9/run-resolvconf: false * bind9/start-as-user: bind -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org