TSIG verify failure
Hi list, I'm trying to use BIND 9.3.4 as a slave server for a couple of my zones. The primary name server is running NSD. Both are running NTPD. Master has an an external IP address (MAS.TER.MAS.TER), while slave server has a RFC1918 address (192.168.1.153) and the leading firewall redirects UDP/TCP packets to SLA.VE.SLA.VE:53 to it. AXFR fails invariably with the following error: tsig verify failure. Do, by chance, TSIG packets use IP address during encryption? I've been struggling to understand the problem for maybe 8 hours, but I'm clueless now... Any help would be welcome. The configuration of the master server, running NSD, is straightforward: % key: % name: master-slave. % algorithm: hmac-md5 % secret: ABCDEFGHIJKLMNOPQRSTUV== % zone: % name: le-hen.org % zonefile: le-hen.org.zone % notify: SLA.VE.SLA.VE master-slave. % provide-xfr: SLA.VE.SLA.VE master-slave. The slave BIND relevant configuration is: % key master-slave. { % algorithm hmac-md5; % secret: ABCDEFGHIJKLMNOPQRSTUV==; % }; % server MAS.TER.MAS.TER { % keys { master-slave. }; % }; % view external { % [...] % % zone le-hen.org { % type slave; % masters { MAS.TER.MAS.TER; }; % file /var/db/named/le-hen.org.bak; % allow-transfer { none; }; % }; % }; BIND log (sorry if the line wraps): % Feb 28 09:54:25 slave named[37517]: notify: info: client MAS.TER.MAS.TER#54434: view external: received notify for zone 'le-hen.org': TSIG 'master-slave' % Feb 28 09:54:26 slave named[37517]: xfer-in: info: zone le-hen.org/IN/external: zone transfer deferred due to quota % Feb 28 09:54:26 slave named[37517]: general: info: zone le-hen.org/IN/external: Transfer started. % Feb 28 09:54:26 slave named[37517]: xfer-in: info: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: connected using 192.168.1.153#53780 % Feb 28 09:54:26 slave named[37517]: xfer-in: debug 3: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: requesting IXFR for serial 2009021700 % Feb 28 09:54:26 slave named[37517]: xfer-in: debug 3: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: sent request length prefix % Feb 28 09:54:26 slave named[37517]: xfer-in: debug 3: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: sent request data % Feb 28 09:54:26 slave named[37517]: xfer-in: debug 7: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: received 188 bytes % Feb 28 09:54:26 slave named[37517]: xfer-in: debug 3: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: got NOTIMP, retrying with AXFR % Feb 28 09:54:26 slave named[37517]: xfer-in: info: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: resetting % Feb 28 09:54:26 slave named[37517]: xfer-in: info: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: connected using 192.168.1.153#55660 % Feb 28 09:54:26 slave named[37517]: xfer-in: debug 3: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: sent request length prefix % Feb 28 09:54:26 slave named[37517]: xfer-in: debug 3: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: sent request data % Feb 28 09:54:27 slave named[37517]: xfer-in: debug 7: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: received 263 bytes % Feb 28 09:54:27 slave named[37517]: xfer-in: debug 3: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: sent request length prefix % Feb 28 09:54:27 slave named[37517]: xfer-in: debug 3: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: sent request data % Feb 28 09:54:27 slave named[37517]: xfer-in: debug 7: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: received 707 bytes % Feb 28 09:54:27 slave named[37517]: dnssec: debug 2: tsig key 'master-slave': signature failed to verify % Feb 28 09:54:27 slave named[37517]: xfer-in: debug 3: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: TSIG check failed: tsig verify failure % Feb 28 09:54:27 slave named[37517]: xfer-in: error: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: failed while receiving responses: tsig verify failure % Feb 28 09:54:27 slave named[37517]: general: debug 1: zone le-hen.org/IN/external: zone transfer finished: tsig verify failure % Feb 28 09:54:27 slave named[37517]: xfer-in: info: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: end of transfer Thanks. Best regards, -- Jeremie Le Hen jeremie at le-hen dot org ttz at chchile dot org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How do i use å ä ö in domain names?
While we are at äöü there is a error in your mail: Vorstande: ^ The dots are missing Reinhold Schulte (Vorsitzender), Dr. Karl-Josef Bierth, Michael Johnigk, Ulrich Leitermann, Michael Petmecky, Dr. Klaus Sticker, Vorsitzender der Aufsichtsrate: Gunter Kutz ^ The dots are missing SIGNAL IDUNA Gruppe Hauptverwaltungen, Internet: www.signal-iduna.de, E-Mail: i...@signal-iduna.de 44121 Dortmund, Hausanschrift: Joseph-Scherer-Str. 3, 44139 Dortmund, Telefon: (02 31) 1 35-0, Telefax: (02 31) 1 35-46 38 20351 Hamburg, Hausanschrift: Neue Rabenstra?e 15-19, 20354 Hamburg, ^ This schould be sharp... Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator 24V Electronic Engineer Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # http://www.tamay-dogan.net/ http://www.can4linux.org/ Michelle Konzack Apt. 917 ICQ #328449886 +49/177/935194750, rue de Soultz MSN LinuxMichi +33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: TSIG verify failure
On 28-Feb-2009, at 04:11, Jeremie Le Hen wrote: AXFR fails invariably with the following error: tsig verify failure. Do, by chance, TSIG packets use IP address during encryption? I've been struggling to understand the problem for maybe 8 hours, but I'm clueless now... Any help would be welcome. Check the clocks on your two machines, as they need to be in sync; the signatures are time-dependent. PGP.sig Description: This is a digitally signed message part ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users