Problems transferring zones with TSIG.

Shaun T. Erickson sterickson at gmail.com
Sat Oct 21 02:09:14 UTC 2006 

I just realized I'd sent this only to Mark. -ste
-------

On 10/20/06, Mark Andrews <Mark_Andrews at isc.org> wrote:
>
>         Since you havn't posted your configuration that as far
>         as anyone here can go.

I didn't want to annoy anyone by posting more, unless asked. :)

This is the named.conf file on my master (I'm now only trying to do
one zone with TSIG, so that the other will (and do) succeed):

acl "internal" { 64.32.179.40/32; 64.32.179.41/32; localhost; };
acl "slaves" { 64.124.174.11/32; };

options {
       directory "/var/named";
       recursion no;
       listen-on { 64.32.179.42; };
       pid-file "/var/run/named/named.pid";
       dump-file "/var/named/data/cache_dump.db";
       statistics-file "/var/named/data/named_stats.txt";
};

controls {
       inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

include "/etc/rndc.key";
include "/etc/dns.key";

view internal in {
       match-clients { "internal"; };
       recursion yes;

       zone "ste-land.com" {
               type master;
               file "data/db.ste-land.com";
       };

       zone "tales-of-the-wanderer.com" {
               type master;
               file "data/db.tales-of-the-wanderer.com";
       };

       zone "prideguidenj.org" {
               type master;
               file "data/db.prideguidenj.org";
       };

       zone "legiongalileo.com" {
               type master;
               file "data/db.legiongalileo.com";
       };

       zone "smxy.org" {
               type master;
               file "data/db.smxy.org";
       };

       zone "0.0.127.in-addr.arpa" IN {
               type master;
               file "data/db.127.0.0";
       };

       zone "." {
               type hint;
               file "db.cache";
       };
};

view external in {
       match-clients { any; };
       recursion no;

       zone "ste-land.com" {
               type master;
               file "data/db.ste-land.com";
               allow-transfer { "slaves"; };
       };

       zone "tales-of-the-wanderer.com" {
               type master;
               file "data/db.tales-of-the-wanderer.com";
               allow-transfer { key ny2.steambolt.com-scudder.smxy.org.; };
       };

       zone "prideguidenj.org" {
               type master;
               file "data/db.prideguidenj.org";
               allow-transfer { "slaves"; };
       };

       zone "legiongalileo.com" {
               type master;
               file "data/db.legiongalileo.com";
               allow-transfer { "slaves"; };
       };

       zone "smxy.org" {
               type master;
               file "data/db.smxy.org";
               allow-transfer { "slaves"; };
       };

       zone "0.0.127.in-addr.arpa" IN {
               type master;
               file "data/db.127.0.0";
               allow-transfer { none; };
       };

       zone "." {
               type hint;
               file "db.cache";
       };
};

On the slave, which I can't get to from work - sorry - I "include" the
same key file and use this as the masters line for the domain that's
being transferred with TSIG:

masters { 64.32.179.42 key ny2.steambolt.com-scudder.smxy.org.; };

If you need more of the slaves configuration, I can send that this
evening. Is there anything else I can send/do that might help?
Following Sebastian's suggestion, I ran:

$ dig axfr tales-of-the-wanderer.com @64.32.179.42 -y
ny2.streambolt.com-scudder.smxy.org.:<my key>

; <<>> DiG 9.3.2 <<>> axfr tales-of-the-wanderer.com @64.32.179.42 -y
ny2.streambolt.com-scudder.smxy.org.
; (1 server found)
;; global options:  printcmd
ny2.streambolt.com-scudder.smxy.org. 0 ANY TSIG
hmac-md5.sig-alg.reg.int. 1161366444 300 16 0m/DuU3grFjjhcCBkAmOGg==
23286 NOERROR 0
; Transfer failed.

... which also fails. I'm not sure how to interpret the output of that though.

   -ste

P.S.: Here's the output of a tcpdump. I modified the domain, causing
my server to send out a notify and the slave to try and pull the zone:

Last login: Fri Oct 20 21:30:12 on ttyp2
Welcome to Darwin!
Shaun-T-Ericksons-Computer:~ ste$ vi





















21:58:19.473978 IP ny2.streambolt.com.50028 > scudder.smxy.org.domain:
. ack 277 win 1728 <nop,nop,timestamp 1201228316 249925442>
21:58:19.474630 IP ny2.streambolt.com.50028 > scudder.smxy.org.domain:
P 151:153(2) ack 277 win 1728 <nop,nop,timestamp 1201228316 249925442>
21:58:19.491547 IP ny2.streambolt.com.domain > scudder.smxy.org.32805:
 19251 notify* 0/0/0 (43)
21:58:19.526620 IP scudder.smxy.org.domain > ny2.streambolt.com.50028:
. ack 153 win 1448 <nop,nop,timestamp 249925525 1201228316>
21:58:19.607974 IP ny2.streambolt.com.50028 > scudder.smxy.org.domain:
P 153:301(148) ack 277 win 1728 <nop,nop,timestamp 1201228449
249925525> 0 [b2&3=0x1] [0q] [1n] [5492au] (146)
21:58:19.608010 IP scudder.smxy.org.domain > ny2.streambolt.com.50028:
. ack 301 win 1448 <nop,nop,timestamp 249925606 1201228449>
21:58:19.609250 IP scudder.smxy.org.domain > ny2.streambolt.com.50028:
P 277:427(150) ack 301 win 1448 <nop,nop,timestamp 249925607
1201228449> 2542 Refused-[|domain]
21:58:19.658271 IP ny2.streambolt.com.50028 > scudder.smxy.org.domain:
F 301:301(0) ack 427 win 1996 <nop,nop,timestamp 1201228501 249925607>
21:58:19.658760 IP scudder.smxy.org.domain > ny2.streambolt.com.50028:
F 427:427(0) ack 302 win 1448 <nop,nop,timestamp 249925657 1201228501>
21:58:19.849464 IP ny2.streambolt.com.50028 > scudder.smxy.org.domain:
. ack 428 win 1996 <nop,nop,timestamp 1201228692 249925657>
~

I don't know if that helps any or not ... still stumped. -ste

More information about the bind-users mailing list