Antwort: Re: TSIG help

Holger.Zuleger at arcor.net Holger.Zuleger at arcor.net
Mon Jun 28 08:16:52 UTC 2004


> Ok. Well I tried this (although slightly different):
> dig electric.net @ns1.electric.net AXFR -y ns2.blah.com:key_goes_here

> and that worked. In fact, no matter what keys I use on either machine all
> TSIG works with AXFR IN and OUT fine. I cannot make it fail MANUALLY.

Seems that you defined an allow-transfer statement with key *and* ip-address
clause! Right?
So my guess is, BIND always matches your ip address whatever TSIG key you
supplied.
In case of the Cisco pass thru, NAT changes your ip address and the key
configured is *not* the correct one.
Please post your unmodified config again, and add the output of the dig command.

Holger





"J.D. Bronson" <jbronson at wixb.com>@isc.org
23.06.2004 22:53

Gesendet von:  bind-users-bounce at isc.org

An:     Kevin Darcy <kcd at daimlerchrysler.com>, bind-users at isc.org
Kopie:  (Blindkopie: Holger Zuleger/TND/Eschborn/Arcor)
Thema:  Re: TSIG help


At 01:20 PM 6/23/2004, Kevin Darcy wrote:
>J.D. Bronson wrote:
>
> >Hmm. I need help getting more debug out of bind 9.3.0rc1...
> >
> >I have TSIG working on 2 of 3 machines and it works fine in both
> >directions. However, these 2 are on the same side of 1 router, so they
> >never pass THRU this CISCO router.
> >
> >The 3 machine is off site and I can TSIG "into it" without any issue, but
> >cant TSIG 'out of it'.
> >
> >I see the TSIG notify's coming from the offsite machine, but the local
> >machine sees this and then fails:
> >
> >[slave]
> >22-Jun-2004 19:26:08.637 client 1.2.3.4#23765: view external: received
> >notify for zone 'electric.net': TSIG 'ns1.electric.net'
> >
> >Jun 22 19:26:08 named[1590]: zone electric.net/IN/external: refresh:
> >failure trying master 1.2.3.4#53 (source 192.168.1.2#0): tsig verify failure
> >
> >
> >....now, I am going thru a CISCO router (and I know they didnt pass TSIG
> >awhile back...) but I think the latest IOS I am running does. After all, it
> >does work 1 way at least...
> >
> >anything I can do to debug this and either find MY error, or prove that the
> >CISCO is messing up my TSIG?
> >
> >it seems I can TSIG 'OUT' fine, but not 'IN'.
> >
>You could try sending a TSIG-signed query and see what the exact
>response is, e.g.:
>
>dig chrysler.com ns @xx.xx.xx.xx -k/etc/keys/Kbogus-key.+157+33362.private
>
>;; Couldn't verify signature: tsig indicates error
>
>; <<>> DiG 9.2.2-P3 <<>> chrysler.com ns @xx.xx.xx.xx
>-k/etc/keys/Kbogus-key.+157+33362.private
>;; global options: printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOTAUTH, id: 1490
>;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
>;; QUESTION SECTION:
>;chrysler.com. IN NS
>
>;; TSIG PSEUDOSECTION:
>bogus-key. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1088014485 300 0 1490
>BADKEY 0
>
>You'll need a relatively-modern version of "dig" to do this.
>
>- Kevin

Ok. Well I tried this (although slightly different):
dig electric.net @ns1.electric.net AXFR -y ns2.blah.com:key_goes_here

and that worked. In fact, no matter what keys I use on either machine all
TSIG works with AXFR IN and OUT fine. I cannot make it fail MANUALLY.

But if I change the WAN side DNS server zone (I am slave to) and kick it, I
see the TSIG request but then the transfer still fails.

So I am down to this:

Manual dig AXFR via TSIG works in any way I try.
Automatic TSIG AXFRs fail from WAN to LAN, but work LAN to WAN.

I still think its the cisco, but need more help. Perhaps DIG uses different
ports (or TCP vs UDP something) wherease the REFRESH or AXFR doesnt?

Thanks for the hints.




--
J.D. Bronson
Aurora Health Care // Information Services // Milwaukee, WI USA
Office: 414.978.8282 // Email: jd at aurora.org // Pager: 414.314.8282







More information about the bind-users mailing list