define domain both for internal and external zones?
Gerry Reno
greno at verizon.net
Sun Apr 6 17:47:09 UTC 2008
Gerry Reno wrote:
> Gerry Reno wrote:
>
>> Following up here.
>>
>> I have tried moving the keys into the views - same result.
>> I made sure that my double quotes are exactly like faq.
>> I have diff'd the keys. All instances of key name were cut and paste
>> from gen'd key in file.
>> I copied the keys over using scp. Permissions are the same as other files.
>>
>> What more can I do here?
>> It doesn't like the key, but why?
>>
>> Gerry
>>
>>
> Yes, I checked the time on both servers and they are both running ntpd
> and are within 1 sec.
>
> I even tried gen'ing the keys separately on both servers and using those
> keys. Still same problem.
>
> Gerry
>
Here is a startup from both servers:
MASTER SERVER:
============================================================
Apr 6 13:03:46 grp-01-30-50 named[31966]: starting BIND 9.4.2 -u named
-t /var/named/chroot
Apr 6 13:03:46 grp-01-30-50 named[31966]: found 1 CPU, using 1 worker
thread
Apr 6 13:03:46 grp-01-30-50 named[31966]: loading configuration from
'/etc/named.conf'
Apr 6 13:03:46 grp-01-30-50 named[31966]: listening on IPv4 interface
lo, 127.0.0.1#53
Apr 6 13:03:46 grp-01-30-50 named[31966]: listening on IPv4 interface
lo:0, 192.168.1.240#53
Apr 6 13:03:46 grp-01-30-50 named[31966]: listening on IPv4 interface
eth0, 192.168.1.200#53
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
internal: 127.IN-ADDR.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
internal: 254.169.IN-ADDR.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
internal: 2.0.192.IN-ADDR.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
internal: 255.255.255.255.IN-ADDR.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
internal:
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
internal:
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
internal: D.F.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
internal: 8.E.F.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
internal: 9.E.F.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
internal: A.E.F.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
internal: B.E.F.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
localhost_resolver: 127.IN-ADDR.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
localhost_resolver: 254.169.IN-ADDR.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
localhost_resolver: 2.0.192.IN-ADDR.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
localhost_resolver: 255.255.255.255.IN-ADDR.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
localhost_resolver:
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
localhost_resolver:
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
localhost_resolver: D.F.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
localhost_resolver: 8.E.F.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
localhost_resolver: 9.E.F.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
localhost_resolver: A.E.F.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
localhost_resolver: B.E.F.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: command channel listening on
127.0.0.1#953
Apr 6 13:03:46 grp-01-30-50 named[31966]: command channel listening on
::1#953
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone example.com/IN/external:
loaded serial 4
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone
grp.external.zone/IN/external: loaded serial 2
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone example.com/IN/internal:
loaded serial 3
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone gar-lan/IN/internal:
loaded serial 6
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone
grp.ddns.internal.zone/IN/internal: loaded serial 2
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone
grp.internal.zone/IN/internal: loaded serial 2
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone
0.in-addr.arpa/IN/localhost_resolver: loaded serial 42
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone
0.0.127.in-addr.arpa/IN/localhost_resolver: loaded serial 42
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone
255.in-addr.arpa/IN/localhost_resolver: loaded serial 42
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN/localhost_resolver:
loaded serial 42
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone
localdomain/IN/localhost_resolver: loaded serial 42
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone
localhost/IN/localhost_resolver: loaded serial 42
Apr 6 13:03:46 grp-01-30-50 named[31966]: running
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone example.com/IN/external:
sending notifies (serial 4)
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone example.com/IN/internal:
sending notifies (serial 3)
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone gar-lan/IN/internal:
sending notifies (serial 6)
Apr 6 13:03:46 grp-01-30-50 named[31966]: client 192.168.1.1#53: view
internal: received notify for zone 'example.com'
Apr 6 13:03:47 grp-01-30-50 named[31966]: zone
grp.slave.internal.zone/IN/internal: refresh: unexpected rcode
(SERVFAIL) from master 192.168.1.201#53 (source 0.0.0.0#53)
Apr 6 13:04:00 grp-01-30-50 named[31966]: client 192.168.1.201#53: view
internal: request has invalid signature: TSIG ns1-ns2.example.com: tsig
verify failure (BADSIG)
============================================================
SLAVE SERVER:
============================================================
Apr 6 13:04:00 grp-01-30-51 named[24014]: starting BIND 9.4.2 -u named
-t /var/named/chroot
Apr 6 13:04:00 grp-01-30-51 named[24014]: found 1 CPU, using 1 worker
thread
Apr 6 13:04:00 grp-01-30-51 named[24014]: loading configuration from
'/etc/named.conf'
Apr 6 13:04:00 grp-01-30-51 named[24014]: listening on IPv4 interface
lo, 127.0.0.1#53
Apr 6 13:04:00 grp-01-30-51 named[24014]: listening on IPv4 interface
lo:0, 192.168.1.240#53
Apr 6 13:04:00 grp-01-30-51 named[24014]: listening on IPv4 interface
eth0, 192.168.1.201#53
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
internal: 127.IN-ADDR.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
internal: 254.169.IN-ADDR.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
internal: 2.0.192.IN-ADDR.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
internal: 255.255.255.255.IN-ADDR.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
internal:
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
internal:
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
internal: D.F.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
internal: 8.E.F.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
internal: 9.E.F.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
internal: A.E.F.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
internal: B.E.F.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
localhost_resolver: 127.IN-ADDR.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
localhost_resolver: 254.169.IN-ADDR.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
localhost_resolver: 2.0.192.IN-ADDR.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
localhost_resolver: 255.255.255.255.IN-ADDR.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
localhost_resolver:
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
localhost_resolver:
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
localhost_resolver: D.F.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
localhost_resolver: 8.E.F.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
localhost_resolver: 9.E.F.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
localhost_resolver: A.E.F.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
localhost_resolver: B.E.F.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: command channel listening on
127.0.0.1#953
Apr 6 13:04:00 grp-01-30-51 named[24014]: command channel listening on
::1#953
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone example.com/IN/external:
loaded serial 2 <=== on master this file is at serial 4, so it is not
transferring ????
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone example.com/IN/internal:
loaded serial 3
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone gar-lan/IN/internal:
loaded serial 6
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone
grp.ddns.internal.zone/IN/internal: loaded serial 2
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone
grp.internal.zone/IN/internal: loaded serial 2
Apr 6 13:04:00 grp-01-30-51 named[24014]: running
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone example.com/IN/internal:
sending notifies (serial 3)
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone gar-lan/IN/internal:
sending notifies (serial 6)
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone
grp.external.zone/IN/external: refresh: failure trying master
192.168.1.200#53 (source 0.0.0.0#53): tsig indicates error <=== TSIG
ERROR
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone
localdomain/IN/localhost_resolver: refresh: non-authoritative answer
from master 192.168.1.200#53 (source 0.0.0.0#53)
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone
0.in-addr.arpa/IN/localhost_resolver: refresh: non-authoritative answer
from master 192.168.1.200#53 (source 0.0.0.0#53)
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone
0.0.127.in-addr.arpa/IN/localhost_resolver: refresh: unexpected rcode
(NXDOMAIN) from master 192.168.1.200#53 (source 0.0.0.0#53)
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone
255.in-addr.arpa/IN/localhost_resolver: refresh: non-authoritative
answer from master 192.168.1.200#53 (source 0.0.0.0#53)
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone
localhost/IN/localhost_resolver: refresh: non-authoritative answer from
master 192.168.1.200#53 (source 0.0.0.0#53)
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN/localhost_resolver:
refresh: non-authoritative answer from master 192.168.1.200#53 (source
0.0.0.0#53)
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone
grp.slave.internal.zone/IN/internal: refresh: unexpected rcode
(SERVFAIL) from master 192.168.1.200#53 (source 0.0.0.0#53)
============================================================
I can see that named thinks the sig is bad but I have gen'd and re-gen'd
these keys without success
Here are the sections from named.conf:
MASTER SERVER:
============================================================
// Red Hat BIND Configuration Tool
//
// MASTER NAMESERVER
key "ns1-ns2.example.com." {
algorithm hmac-md5;
secret dnssec-keygendsecret;
};
acl external_slaves {
};
acl internal_slaves {
192.168.1.201;
};
acl gar-lan {
127.0.0.0/8;
192.168.2.0/24;
};
acl grp-lan {
127.0.0.0/8;
192.168.1.0/24;
};
...
view "external" {
match-clients {
key ns1-ns2.example.com.;
! grp-lan;
! gar-lan;
};
recursion no;
// we sign requests sent to these servers
server 192.168.1.201 {
keys { ns1-ns2.example.com.; };
};
zone "example.com." IN {
type master;
file "external_example.com.db";
allow-transfer { internal_slaves; external_slaves; };
};
...
};
view "internal" {
match-destinations {
grp-lan;
gar-lan;
};
match-clients {
!key ns1-ns2.example.com.;
grp-lan;
gar-lan;
};
recursion yes;
zone "example.com." IN {
type master;
file "internal_example.com.db";
allow-transfer { internal_slaves; };
};
...
};
view "localhost_resolver" {
match-clients {
localhost;
};
match-destinations {
localhost;
};
recursion yes;
...
};
include "/etc/rndc.key";
============================================================
SLAVE SERVER:
============================================================
// Red Hat BIND Configuration Tool
//
// SLAVE NAMESERVER
key "ns1-ns2.example.com." {
algorithm hmac-md5;
secret dnssec-keygendsecret;
};
...
view "external" {
match-clients {
key ns1-ns2.example.com.;
! grp-lan;
! gar-lan;
};
recursion no;
// we sign requests sent to these servers
server 192.168.1.200 {
keys { ns1-ns2.example.com.; };
};
zone "example.com." IN {
type slave;
file "slaves/external_example.com.db";
allow-transfer { internal_slaves; external_slaves; };
masters { 192.168.1.200; };
...
};
view "internal" {
match-clients {
!key ns1-ns2.example.com.;
grp-lan;
gar-lan;
};
recursion yes;
zone "example.com." IN {
type slave;
file "slaves/internal_example.com.db";
allow-transfer { internal_slaves; };
masters { 192.168.1.200; };
};
...
};
view "localhost_resolver" {
match-clients {
localhost;
};
recursion yes;
...
};
include "/etc/rndc.key";
============================================================
Gerry
More information about the bind-users
mailing list