rndc TSIG problem in 9.1.3

Cricket Liu cricket at menandmice.com
Wed Oct 10 19:26:18 UTC 2001

> We have two nameservers (name1 -, name2 -, one primary
> (name1) and the other secondary (name2), that are both running BIND 9.1.3.
> Following the BIND book, I set up the rndc.conf and rndc.keys files on
> and name2 so that rndc can be used from name1 to manage name2 (e.g.
rndc -s
> name2 reload).  However, I get the following errors when trying to run
> from name1:
> /etc> rndc -s name2 reload
> rndc: operation failed: verify failure (failed to verify signature)
> rndc: reload command failure: verify failure
> /etc> rndc -y name2-key -s name2 reload
> rndc: send remote authenticator: permission denied

You're telling rndc to use the key name2-key (either explicitly, with -y, or
using rndc.conf's server statement), but the named.conf file on name2

> +-----------------------  Portion of named.conf on name2 (secondary)
> -------------------------+
> controls {
>         inet * allow { any; } keys { "rndc-key"; };
> };

That is, allow the key named rndc-key.  The key names don't match.


Men & Mice
DNS Software & Services

More information about the bind-users mailing list