bind and tsig

Cricket Liu cricket at menandmice.com
Thu Sep 26 05:45:34 UTC 2002


> I am trying to securitize my zone transfers with tsig. I'm using bind
8.3.3
>
> I've foolwed the instructions in the latest edition of the O'Reilly DNS
and
> Bind book.
>
> But when a transfer is attempted.. I find in the log file:
> named-xfer: TSIG verification from server [xxx.xxx.xxx.xxx] zone
JOE.BLOW.COM :
> BADSIG (-16)
>
> Doesn't sound good, but I have no idea what it means.
> I created the tsig key using:
> dnskeygen -H 129 -h -n xxx.xxx.xxx.
>
> On the master and slave I placed
> key xxx.xxx.xxx. {
> algorithm hmac-md5;
> secret "key";
> };
>
> On the slave I added:
> server xxx.xxx.xxx.xxx {
>  keys { xxx.xxx.xxx.;};
> }
>
> In the zone options on the master I added:
> allow-transfer {xxx.xxx.xxx.;};
>
> After making these additions, I restarted both the master and slave name
> servers, and then received the log errors described above..

Are the clocks on the master and slave synched?  Are the key statements
exactly the same?  Does the name of the key match on both master and
slave?

cricket

Men & Mice
DNS Software, Training and Consulting
www.menandmice.com

The DNS and BIND Cookbook, coming October 2002!
http://www.oreilly.com/catalog/dnsbindckbk/



More information about the bind-users mailing list