Problem using nsupdate with DNSSEC
Mark.Andrews at nominum.com
Mark.Andrews at nominum.com
Wed Oct 4 20:35:41 UTC 2000
Try BIND 8.2.3.
Mark
968. [bug] TSIGs failed to verify if the key name was compressed.
>
> Hi List!
>
> I have problems using DNSSEC with bind 8.2.2 (I know this is not the recent v
> ersion
> but DNSSEC should be running in already). Here is my /etc/named.conf:
>
> -- CUT HERE --
> trusted-keys {
> jakob.dynip.x-serv.de 257 3 157 "c2bFsI9njRZCTCmc/Wuv9IXkOKdhx+D7jzzn1JLh
> I9U";
> };
>
> zone "jakob.dynip.x-serv.de" IN {
> type master;
> file "jakob.dynip.x-serv.de";
> check-names fail;
> allow-update { any; };
> };
> -- CUT HERE --
>
> The update with nsupdate using not signed requests works:
>
> test2.jakob.dynip.x-serv.de. 1M IN A 234.234.234.234
> ;; Querying server (# 1) address = 194.97.54.250
> ;; got answer:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 6559
> ;; flags: qr ra; ZONE: 0, PREREQUISITE: 0, UPDATE: 0, ADDITIONAL: 0
>
> Using signed requests fails:
>
> nsupdate -d -k /var/named:jakob.dynip.x-serv.de. << EOF
> update add test3.jakob.dynip.x-serv.de 60 A 234.234.234.234
>
> EOF
>
> ;; got answer:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 47204
> ;; flags: qr ra; ZONE: 1, PREREQUISITE: 0, UPDATE: 0, ADDITIONAL: 1
> ;; jakob.dynip.x-serv.de, type = SOA, class = IN
> . 0S ANY TSIG . 17
>
> You can play with that zone, the key above is correct (will be changed if it
> works).
>
>
> Thanks
>
> Leif Jakob
>
>
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
More information about the bind-users
mailing list