rndc TSIG problem in 9.1.3

Cricket Liu cricket at menandmice.com
Wed Oct 10 19:26:18 UTC 2001


> We have two nameservers (name1 - 10.1.1.1, name2 - 10.1.1.2), one primary
> (name1) and the other secondary (name2), that are both running BIND 9.1.3.
> Following the BIND book, I set up the rndc.conf and rndc.keys files on
name1
> and name2 so that rndc can be used from name1 to manage name2 (e.g.
rndc -s
> name2 reload).  However, I get the following errors when trying to run
rndc
> from name1:
>
> /etc> rndc -s name2 reload
> rndc: operation failed: verify failure (failed to verify signature)
> rndc: reload command failure: verify failure
>
> /etc> rndc -y name2-key -s name2 reload
> rndc: send remote authenticator: permission denied

You're telling rndc to use the key name2-key (either explicitly, with -y, or
using rndc.conf's server statement), but the named.conf file on name2
says:

> +-----------------------  Portion of named.conf on name2 (secondary)
> -------------------------+
> controls {
>         inet * allow { any; } keys { "rndc-key"; };
> };

That is, allow the key named rndc-key.  The key names don't match.

cricket

Men & Mice
DNS Software & Services
www.menandmice.com




More information about the bind-users mailing list