forwarders and zone transfer to the same set of servers

sarath at slashroot.in sarath at slashroot.in
Sat Sep 28 16:31:23 UTC 2013 

  Hi Team,

I have an architecture where i have one bind server that is
forward-only and is authoritative for a domain ab.dc.example.com. It
should forward all requests other than it is authoritative for
(ab.dc.example.com) to a set of servers.

Requests will get forwarded to

172.16.202.1
172.16.202.2
172.16.203.3
172.16.204.4

And the second
point is that these same set of servers, where requests are being
forwarded are also slave servers for the domain ab.dc.example.com (so it
will be fetching zone transfer updates as well)
I have TSIG with HMAC
md5 keys generated for secure zone transfer..

key ab.dc.example.com {

algorithm hmac-md5;
 secret
"s0G8oHowQLWoS6FvOV2W6zKNAv+sC7f2hdJclrtHtEfFPyf3nBNY6xR+1Q==";
};
server
172.16.202.1 {
 keys {
 ab.dc.example.com;
 };
};
server 172.16.202.2
{
 keys {
 ab.dc.example.com;
 };
};
server 172.16.202.3 {
 keys {

ab.dc.example.com;
 };
};
server 172.16.202.4 {
 keys {

ab.dc.example.com;
 };
};

  And i have my forwarders set to the same
set of above servers...My bind options clause is shown below.


forwarders { 172.16.202.1; 172.16.202.2; 172.16.202.3; 172.16.202.4; };

forward only;
 allow-query { any; };
 allow-transfer { none; };

allow-recursion { localhost; 0.0.0.0/0; };
 dnssec-validation no;

dnssec-enable yes;

Note: I dont have direct access to those 4 servers
(they are slave for the domain for which am authoritative). The zone
transfer is working perfect in the above configs but normal dig queries
are not working as required. What i could make out from the logs is
shown below.

;; TSIG PSEUDOSECTION:
 0 ANY TSIG
hmac-md5.sig-alg.reg.int. 1380379945 300 0 55359 BADSIG 0

However if i
query those same servers where am forwarding my dns requests, with the
key option in dig command i do get the desired proper output. I guess i
am missing something in bind configs..please advice me...

Thanks &
Regards
Sarath 
------------------------
Powered by BigRock.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130928/94d92b1f/attachment.html>

More information about the bind-users mailing list