Problem using nsupdate with DNSSEC

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Wed Oct 4 20:35:41 UTC 2000


	Try BIND 8.2.3.

	Mark

 968.   [bug]           TSIGs failed to verify if the key name was compressed.

> 
> Hi List!
> 
> I have problems using DNSSEC with bind 8.2.2 (I know this is not the recent v
> ersion
> but DNSSEC should be running in already). Here is my /etc/named.conf:
> 
> -- CUT HERE --
> trusted-keys {
>     jakob.dynip.x-serv.de 257 3 157 "c2bFsI9njRZCTCmc/Wuv9IXkOKdhx+D7jzzn1JLh
> I9U";
> };
> 
> zone "jakob.dynip.x-serv.de" IN {
>     type master;
>     file "jakob.dynip.x-serv.de";
>     check-names fail;
>     allow-update { any; };
> };
> -- CUT HERE --
> 
> The update with nsupdate using not signed requests works:
> 
> test2.jakob.dynip.x-serv.de.  1M IN A  234.234.234.234
> ;; Querying server (# 1) address = 194.97.54.250
> ;; got answer:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 6559
> ;; flags: qr ra; ZONE: 0, PREREQUISITE: 0, UPDATE: 0, ADDITIONAL: 0
> 
> Using signed requests fails:
> 
> nsupdate -d -k /var/named:jakob.dynip.x-serv.de. << EOF
> update add test3.jakob.dynip.x-serv.de 60 A 234.234.234.234
> 
> EOF
> 
> ;; got answer:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 47204
> ;; flags: qr ra; ZONE: 1, PREREQUISITE: 0, UPDATE: 0, ADDITIONAL: 1
> ;;      jakob.dynip.x-serv.de, type = SOA, class = IN
> .                       0S ANY TSIG     . 17
> 
> You can play with that zone, the key above is correct (will be changed if it 
> works).
> 
> 
> Thanks
> 
> Leif Jakob
> 
> 
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com



More information about the bind-users mailing list