forwarders and zone transfer to the same set of servers

Kevin Darcy kcd at chrysler.com
Mon Sep 30 22:54:26 UTC 2013


On 9/28/2013 12:31 PM, sarath at slashroot.in wrote:
> Hi Team,
>
> I have an architecture where i have one bind server that is 
> forward-only and is authoritative for a domain ab.dc.example.com. It 
> should forward all requests other than it is authoritative for 
> (ab.dc.example.com) to a set of servers.
>
> Requests will get forwarded to
> 172.16.202.1
> 172.16.202.2
> 172.16.203.3
> 172.16.204.4
>
> And the second point is that these same set of servers, where requests 
> are being forwarded are also slave servers for the domain 
> ab.dc.example.com (so it will be fetching zone transfer updates as well)
> I have TSIG with HMAC md5 keys generated for secure zone transfer..
>
> key ab.dc.example.com {
>           algorithm hmac-md5;
>           secret 
> "s0G8oHowQLWoS6FvOV2W6zKNAv+sC7f2hdJclrtHtEfFPyf3nBNY6xR+1Q==";
> };
> server 172.16.202.1 {
>         keys {
>                 ab.dc.example.com;
>     };
> };
> server 172.16.202.2 {
>         keys {
>                 ab.dc.example.com;
>     };
> };
> server 172.16.202.3 {
>         keys {
>                 ab.dc.example.com;
>     };
> };
> server 172.16.202.4 {
>         keys {
>                 ab.dc.example.com;
>   };
> };
>
>
> And i have my forwarders set to the same set of above servers...My 
> bind options clause is shown below.
>
>  forwarders { 172.16.202.1; 172.16.202.2; 172.16.202.3; 172.16.202.4;  };
>         forward only;
>         allow-query { any; };
>         allow-transfer { none; };
>         allow-recursion { localhost; 0.0.0.0/0; };
>         dnssec-validation no;
>         dnssec-enable yes;
>
> Note: I dont have direct access to those 4 servers (they are slave for 
> the domain for which am authoritative). The zone transfer is working 
> perfect in the above configs but normal dig queries are not working as 
> required. What i could make out from the logs is shown below.
>
> ;; TSIG PSEUDOSECTION:
>  0   ANY     TSIG    hmac-md5.sig-alg.reg.int. 1380379945 300 0 55359 
> BADSIG 0
>
> However if i query those same servers where am forwarding my dns 
> requests, with the key option in dig command i do get the desired 
> proper output. I guess i am missing something in bind configs..please 
> advice me..
When you TSIG-sign your outgoing dig query, are you using *exactly* the 
same key file, via "-k", as named itself uses when it authenticates the 
incoming zone transfer requests?

If you're using "-y", you're presumably typing out the key name and key 
secret on the command line, and it's very easy to screw that up. Just 
saying...

Failing that, one interesting experiment would be to try a zone transfer 
in the opposite direction, using dig. Does that work?

Lastly, is it possible that your box is multi-homed and the other server 
is expecting a different TSIG key for DNS transactions sourced from a 
different address than the one it uses for zone transfers? The answer to 
this question may get rather complicated if any NAT'ing is involved, of 
course...

                             - Kevin


More information about the bind-users mailing list