TSIG fails intermittently but dig works

Greg Kuechle greg.kuechle at sasktel.sk.ca
Thu Mar 25 19:43:22 UTC 2010


Hi,

I have two servers each running bind 9.7.0. I have TSIG setup on the 
servers. I upgraded the hardware on the primary server. The IPs and the 
config remained the same.
I upgrade BIND from 9.4.3-P3 to 9.7.0 at the same time on the primary.

Prior to the hardware/BIND upgrade TSIG worked good. 

The new primary is running on a sun T5120 with Solaris 10.
The older secondary is running on a sun v250 with Solaris 8.


Now it fails on some zones and works on others. If I use dig to do a zone 
transfer all zones  transfer ok.

Here is the syntax I use:
dig -y st-dns-key:<key_omitted> @142.163.211.10 ips.com    <-- this works 
only with dig, named will  not transfer.
dig -y st-dns-key:<key_omitted> @142.163.211.10 zazu.com <-- this works 
with dig and named will transfer. 


---------------------------- Logs from secondary trying to transfer the 
zones ___________________________________
Here is a zone that works:
25-Mar-2010 12:25:23.058 general: info: zone zazu.ca/IN: Transfer started.
25-Mar-2010 12:25:23.065 xfer-in: info: transfer of 'zazu.ca/IN' from 
142.163.211.10#53: connected using 142.163.20.10#56583
25-Mar-2010 12:25:23.105 general: info: zone zazu.ca/IN: transferred 
serial 2007052406: TSIG 'st-dns-key'
25-Mar-2010 12:25:23.106 xfer-in: info: transfer of 'zazu.ca/IN' from 
142.163.211.10#53: Transfer completed: 1 messages, 14 records, 482 bytes, 
0.040 secs (12050 bytes/sec)

This zone will not transfer
25-Mar-2010 12:23:28.029 notify: info: client 142.163.211.10#37594: 
received notify for zone 'ips.com': TSIG 'st-dns-key'
25-Mar-2010 12:23:28.041 general: info: zone ips.com/IN: refresh: failure 
trying master 142.163.211.10#53 (source 0.0.0.0#0): tsig verify failure

Both servers are using ntp and are the time is synced up.

I have thousands of zones most of them will transfer to the secondary.

I have tried many things with no luck(my secondary was running an older 
version of bind so I upgraded it)


Any help would be appreciated.



 Greg Kuechle



Sorry about the notice appended to the email 


NOTICE: This confidential e-mail message is only for the intended 
recipient(s). If you are not the intended recipient, be advised that 
disclosing, copying, distributing, or any other use of this message, is 
strictly prohibited. In such case, please destroy this message and notify 
the sender.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100325/a4de7907/attachment.html>


More information about the bind-users mailing list