FAQ question regarding TSIG (bind9)
Kevin Darcy
kcd at daimlerchrysler.com
Fri Oct 13 22:13:51 UTC 2000
Sorry, I've never actually used TSIG-enabled Dynamic Update with BIND 9. Perhaps someone
who has, would be better qualified to comment...
If you crank up your logging on the server, does it tell you anything more useful than just
"signature verification failed"?
- Kevin
Tor Houghton wrote:
> Kevin Darcy <kcd at daimlerchrysler.com> wrote:
>
> > 1. How did you generate the key? Did you use
>
> > dnskeygen -H 128 -h -n leetah.dyn.bogus.net.
>
> > or something else? (At least, that works for BIND 8; I assume it hasn't changed for
> > BIND 9).
>
> It has changed slightly for BIND9, in that now you do (AFAIAA):
>
> /usr/local/sbin/dnssec-keygen -a HMAC-MD5 -b 128 -n HOST leetah.dyn.bogus.net
>
> I also tried "ZONE" instead of "HOST".
>
> > 2. Have you tried the "-k" option with nsupdate instead of "-y" (specifying the key
> > file)? Does that work? Note that the "-y" option is discouraged because it exposes the
> > key on the command line.
>
> Yes; I've tried both, but no luck; I get the same error message.
>
> There aren't any permission checks (like in SSH) that I am unaware of?
>
> Tor
More information about the bind-users
mailing list