TSIG verify failure
Hi list,
I'm trying to use BIND 9.3.4 as a slave server for a couple of my zones.
The primary name server is running NSD. Both are running NTPD.
Master has an an external IP address (MAS.TER.MAS.TER), while slave
server has a RFC1918 address (192.168.1.153) and the leading firewall
redirects UDP/TCP packets to SLA.VE.SLA.VE:53 to it.
AXFR fails invariably with the following error: tsig verify failure.
Do, by chance, TSIG packets use IP address during encryption?
I've been struggling to understand the problem for maybe 8 hours, but
I'm clueless now... Any help would be welcome.
The configuration of the master server, running NSD, is straightforward:
% key:
% name: master-slave.
% algorithm: hmac-md5
% secret: ABCDEFGHIJKLMNOPQRSTUV==
% zone:
% name: le-hen.org
% zonefile: le-hen.org.zone
% notify: SLA.VE.SLA.VE master-slave.
% provide-xfr: SLA.VE.SLA.VE master-slave.
The slave BIND relevant configuration is:
% key master-slave. {
% algorithm hmac-md5;
% secret: ABCDEFGHIJKLMNOPQRSTUV==;
% };
% server MAS.TER.MAS.TER {
% keys { master-slave. };
% };
% view external {
% [...]
%
% zone le-hen.org {
% type slave;
% masters { MAS.TER.MAS.TER; };
% file /var/db/named/le-hen.org.bak;
% allow-transfer { none; };
% };
% };
BIND log (sorry if the line wraps):
% Feb 28 09:54:25 slave named[37517]: notify: info: client
MAS.TER.MAS.TER#54434: view external: received notify for zone 'le-hen.org':
TSIG 'master-slave'
% Feb 28 09:54:26 slave named[37517]: xfer-in: info: zone
le-hen.org/IN/external: zone transfer deferred due to quota
% Feb 28 09:54:26 slave named[37517]: general: info: zone
le-hen.org/IN/external: Transfer started.
% Feb 28 09:54:26 slave named[37517]: xfer-in: info: transfer of
'le-hen.org/IN' from MAS.TER.MAS.TER#53: connected using 192.168.1.153#53780
% Feb 28 09:54:26 slave named[37517]: xfer-in: debug 3: transfer of
'le-hen.org/IN' from MAS.TER.MAS.TER#53: requesting IXFR for serial 2009021700
% Feb 28 09:54:26 slave named[37517]: xfer-in: debug 3: transfer of
'le-hen.org/IN' from MAS.TER.MAS.TER#53: sent request length prefix
% Feb 28 09:54:26 slave named[37517]: xfer-in: debug 3: transfer of
'le-hen.org/IN' from MAS.TER.MAS.TER#53: sent request data
% Feb 28 09:54:26 slave named[37517]: xfer-in: debug 7: transfer of
'le-hen.org/IN' from MAS.TER.MAS.TER#53: received 188 bytes
% Feb 28 09:54:26 slave named[37517]: xfer-in: debug 3: transfer of
'le-hen.org/IN' from MAS.TER.MAS.TER#53: got NOTIMP, retrying with AXFR
% Feb 28 09:54:26 slave named[37517]: xfer-in: info: transfer of
'le-hen.org/IN' from MAS.TER.MAS.TER#53: resetting
% Feb 28 09:54:26 slave named[37517]: xfer-in: info: transfer of
'le-hen.org/IN' from MAS.TER.MAS.TER#53: connected using 192.168.1.153#55660
% Feb 28 09:54:26 slave named[37517]: xfer-in: debug 3: transfer of
'le-hen.org/IN' from MAS.TER.MAS.TER#53: sent request length prefix
% Feb 28 09:54:26 slave named[37517]: xfer-in: debug 3: transfer of
'le-hen.org/IN' from MAS.TER.MAS.TER#53: sent request data
% Feb 28 09:54:27 slave named[37517]: xfer-in: debug 7: transfer of
'le-hen.org/IN' from MAS.TER.MAS.TER#53: received 263 bytes
% Feb 28 09:54:27 slave named[37517]: xfer-in: debug 3: transfer of
'le-hen.org/IN' from MAS.TER.MAS.TER#53: sent request length prefix
% Feb 28 09:54:27 slave named[37517]: xfer-in: debug 3: transfer of
'le-hen.org/IN' from MAS.TER.MAS.TER#53: sent request data
% Feb 28 09:54:27 slave named[37517]: xfer-in: debug 7: transfer of
'le-hen.org/IN' from MAS.TER.MAS.TER#53: received 707 bytes
% Feb 28 09:54:27 slave named[37517]: dnssec: debug 2: tsig key 'master-slave':
signature failed to verify
% Feb 28 09:54:27 slave named[37517]: xfer-in: debug 3: transfer of
'le-hen.org/IN' from MAS.TER.MAS.TER#53: TSIG check failed: tsig verify failure
% Feb 28 09:54:27 slave named[37517]: xfer-in: error: transfer of
'le-hen.org/IN' from MAS.TER.MAS.TER#53: failed while receiving responses: tsig
verify failure
% Feb 28 09:54:27 slave named[37517]: general: debug 1: zone
le-hen.org/IN/external: zone transfer finished: tsig verify failure
% Feb 28 09:54:27 slave named[37517]: xfer-in: info: transfer of
'le-hen.org/IN' from MAS.TER.MAS.TER#53: end of transfer
Thanks.
Best regards,
--
Jeremie Le Hen
jeremie at le-hen dot org ttz at chchile dot org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: How do i use å ä ö in domain names?
While we are at äöü there is a error in your mail: Vorstande: ^ The dots are missing Reinhold Schulte (Vorsitzender), Dr. Karl-Josef Bierth, Michael Johnigk, Ulrich Leitermann, Michael Petmecky, Dr. Klaus Sticker, Vorsitzender der Aufsichtsrate: Gunter Kutz ^ The dots are missing SIGNAL IDUNA Gruppe Hauptverwaltungen, Internet: www.signal-iduna.de, E-Mail: i...@signal-iduna.de 44121 Dortmund, Hausanschrift: Joseph-Scherer-Str. 3, 44139 Dortmund, Telefon: (02 31) 1 35-0, Telefax: (02 31) 1 35-46 38 20351 Hamburg, Hausanschrift: Neue Rabenstra?e 15-19, 20354 Hamburg, ^ This schould be sharp... Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator 24V Electronic Engineer Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # http://www.tamay-dogan.net/ http://www.can4linux.org/ Michelle Konzack Apt. 917 ICQ #328449886 +49/177/935194750, rue de Soultz MSN LinuxMichi +33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: TSIG verify failure
On 28-Feb-2009, at 04:11, Jeremie Le Hen wrote: AXFR fails invariably with the following error: tsig verify failure. Do, by chance, TSIG packets use IP address during encryption? I've been struggling to understand the problem for maybe 8 hours, but I'm clueless now... Any help would be welcome. Check the clocks on your two machines, as they need to be in sync; the signatures are time-dependent. PGP.sig Description: This is a digitally signed message part ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
