tsig dst_buffer_to_key failed in new_key_info

Kevin Darcy kcd at daimlerchrysler.com
Thu Oct 25 22:34:30 UTC 2001


Ole Michaelsen wrote:

> Hi,
>
> I'm trying to make tsig work on a bind-8.2.2p5 (Solaris 8)
> name server, following the page
> 'http://www.nominum.com/resources/faqs/bind-faqs.html#tsig2'.
>
> I have created the keys, and added the line
>
> key tsig-key. { algorithm hmac-md5; secret "hQyo6wFduerIKkeXSSFywStFQ=="; };
>
> and later
>
> zone "npp.my-network.dk" in {
>     type master;
>     file "zone/master/npp.db";
>
>     allow-query {
>         any;
>     };
>     allow-update { key tsig-key.; };
> };
>
> When I reload the name server it complains
>
> Oct 25 18:32:48 io sudo: [ID 850335 local2.notice]    olmic : TTY=pts/1 ;
> PWD=/bind/var/named ; USER=root ; COMMAND=/usr/bin/kill -1 9137
> Oct 25 16:32:48 io named[9137]: [ID 295310 daemon.notice] reloading nameserver
> Oct 25 16:32:48 io named[9137]: [ID 295310 daemon.warning] dst_buffer_to_key
> failed in new_key_info
> Oct 25 16:32:48 io named[9137]: [ID 295310 daemon.error]
> /usr/local/etc/named.conf:220: key "tsig-key" not found
> Oct 25 16:32:48 io named[9137]: [ID 295310 daemon.info] forwarding source
> address is [172.16.3.183].0
> Oct 25 16:32:48 io named[9137]: [ID 295310 daemon.notice] Ready to
> answer queries.
>
> What do I do wrong?

Are you sure you reproduced the *exact* text of your named.conf? The error
message indicates a mismatch in key names between "tsig-key." (with a period) and
"tsig-key" (without a period). Double-check that.

> The names of the files created with dnskeygen are
> Ktsig-key.+157+00000.key and Ktsig-key.+157+00000.private, and they
> exist in /usr/local/etc/named.conf - should they be renamed, or placed
> elsewhere?

I'm not sure what you mean by the files "exist[ing] in
/usr/local/etc/named.conf". How can one file exist in another? Or is
/usr/local/etc/named.conf a directory on your machine? That's rather confusing.

In any case, where you put the key files doesn't really have any bearing on the
problem above, which is purely a named.conf parsing issue. Named doesn't use the
key files -- only clients do.

>
>
> Another thing: the manuals mention the use of tsig in allow-update, can I
> also use them in allow-query? Only a very limited number of hosts are
> supposed to access this name server - I would like them to be authenticated
> via tsig also...

I'm fairly sure that this is supported in BIND 8. If not in BIND 8, almost
certainly it is supported in BIND 9.

But, what system resolvers are *capable* of TSIG-signing queries or verifying
signatures on responses? I think you're going to have bigger challenges trying to
implement this on the client side than on the server.


- Kevin





More information about the bind-users mailing list