Problems transferring zones with TSIG.

Sebastian E. Castro Avila secastro at
Fri Oct 20 13:59:13 UTC 2006

On Fri, 20 Oct 2006 00:59:13 -0300, Shaun T. Erickson  
<sterickson at> wrote:

> Zone transfers between two RHEL 4.4 systems, both running bind 9.2.4,
> were working. I wanted to add TSIG to the mix. I have the keyfile on
> both servers and that part appears to be ok, as you can see in the
> output, below, that my server says the request has a valid signature.
> The transfers fail though. Yes, I checked the time and both systems
> are the same and getting it via ntp. I don't understand what the
> problem is. Suggestions? This is happening for all of my domains.

You've are discarded the clock sync problem.
Have you tried to pull the zone using dig?

you can use "-k" option and put the TSIG key on a file, or either use "-y"  
option and put the name and the key content on command line.

For example....

I've generated a test key with

%> dnssec-keygen -a HMAC-MD5 -b 512 -n HOST test-key

You put the key on your config file, enable allow-transfer based on the  
key, then you can check using dig, like this

dig axfr mydomain.tld @my.servers -k  Ktest-key.+157+07326.key

if works, you'll get the zone. If not, you'll get a RCODE would give you  
some hints about the error.

I hope it helps.... kind regards

Sebastian E. Castro Avila             sebastian at
Administrador de DNS, NIC Chile

Miraflores 222, Piso 14
Santiago, Chile Cod. Postal 832-0198
Phone: +56-2-9407705                  Fax  : +56-2-9407701

More information about the bind-users mailing list