TSIG help

Kevin Darcy kcd at daimlerchrysler.com
Wed Jun 23 18:20:10 UTC 2004


J.D. Bronson wrote:

>Hmm. I need help getting more debug out of bind 9.3.0rc1...
>
>I have TSIG working on 2 of 3 machines and it works fine in both 
>directions. However, these 2 are on the same side of 1 router, so they 
>never pass THRU this CISCO router.
>
>The 3 machine is off site and I can TSIG "into it" without any issue, but 
>cant TSIG 'out of it'.
>
>I see the TSIG notify's coming from the offsite machine, but the local 
>machine sees this and then fails:
>
>[slave]
>22-Jun-2004 19:26:08.637 client 1.2.3.4#23765: view external: received 
>notify for zone 'electric.net': TSIG 'ns1.electric.net'
>
>Jun 22 19:26:08 named[1590]: zone electric.net/IN/external: refresh: 
>failure trying master 1.2.3.4#53 (source 192.168.1.2#0): tsig verify failure
>
>
>....now, I am going thru a CISCO router (and I know they didnt pass TSIG 
>awhile back...) but I think the latest IOS I am running does. After all, it 
>does work 1 way at least...
>
>anything I can do to debug this and either find MY error, or prove that the 
>CISCO is messing up my TSIG?
>
>it seems I can TSIG 'OUT' fine, but not 'IN'.
>
You could try sending a TSIG-signed query and see what the exact 
response is, e.g.:

dig chrysler.com ns @xx.xx.xx.xx -k/etc/keys/Kbogus-key.+157+33362.private

;; Couldn't verify signature: tsig indicates error

; <<>> DiG 9.2.2-P3 <<>> chrysler.com ns @xx.xx.xx.xx 
-k/etc/keys/Kbogus-key.+157+33362.private
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOTAUTH, id: 1490
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;chrysler.com. IN NS

;; TSIG PSEUDOSECTION:
bogus-key. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1088014485 300 0 1490 
BADKEY 0

You'll need a relatively-modern version of "dig" to do this.

- Kevin






More information about the bind-users mailing list