Problems transferring zones with TSIG.
Sebastian E. Castro Avila
secastro at nic.cl
Fri Oct 20 13:59:13 UTC 2006
On Fri, 20 Oct 2006 00:59:13 -0300, Shaun T. Erickson
<sterickson at gmail.com> wrote:
> Zone transfers between two RHEL 4.4 systems, both running bind 9.2.4,
> were working. I wanted to add TSIG to the mix. I have the keyfile on
> both servers and that part appears to be ok, as you can see in the
> output, below, that my server says the request has a valid signature.
> The transfers fail though. Yes, I checked the time and both systems
> are the same and getting it via ntp. I don't understand what the
> problem is. Suggestions? This is happening for all of my domains.
You've are discarded the clock sync problem.
Have you tried to pull the zone using dig?
you can use "-k" option and put the TSIG key on a file, or either use "-y"
option and put the name and the key content on command line.
I've generated a test key with
%> dnssec-keygen -a HMAC-MD5 -b 512 -n HOST test-key
You put the key on your config file, enable allow-transfer based on the
key, then you can check using dig, like this
dig axfr mydomain.tld @my.servers -k Ktest-key.+157+07326.key
if works, you'll get the zone. If not, you'll get a RCODE would give you
some hints about the error.
I hope it helps.... kind regards
Sebastian E. Castro Avila sebastian at nic.cl
Administrador de DNS, NIC Chile
Miraflores 222, Piso 14
Santiago, Chile Cod. Postal 832-0198
Phone: +56-2-9407705 Fax : +56-2-9407701
More information about the bind-users