TSIG afxr failed while receiving responses: REFUSED

micah micah at riseup.net
Sun May 25 14:58:22 UTC 2014


I've been struggling to get TSIG setup for securing the AXFR of my zone
transfers from the master to the secondaries. I've tried what feels like
everything I can think of, but I am still unable to get it to work
right. I must be missing something, and I hope that the bind community
can tell me what it is.

I'm using the new 9.10 version of bind, so I created the tsig file on
the master by doing tsig-keygen > /etc/bind/tsig.keys, it looks like

key "tsig-key" {
        algorithm hmac-sha256;
        secret "weeetsigblobhere=";

my named.conf has:

include "/etc/bind/rndc.key";
include "/etc/bind/tsig.keys";
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

and my named.conf.options has:

zone "example.net" {
        type master;
        allow-transfer { key tsig.key.; };
        also-notify { ip.address.here.x; };
        file "/etc/bind/master/db.example";
        auto-dnssec maintain;
        inline-signing yes;

on the slave I have copied over the tsig.keys file and added to the
bottom of it:

key "tsig-key" {
        algorithm hmac-sha256;
        secret "weeetsigblobhere=";

server ip.of.master.here {
 keys { "tsig-key"; };

now when I try to do a zone transfer:

root at owl:/etc/bind# rndc retransfer example.net
21-May-2014 09:34:11.828 received control channel command 'retransfer example.net'
21-May-2014 09:34:11.907 zone example.net/IN: Transfer started.
21-May-2014 09:34:11.987 transfer of 'example.net/IN' from ip.address.of.master#53: connected using ip.address.of.slave#48600
21-May-2014 09:34:12.068 transfer of 'example.net/IN' from ip.address.of.master#53: failed while receiving responses: REFUSED
21-May-2014 09:34:12.068 transfer of 'example.net/IN' from ip.address.of.master#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.080 secs (0 bytes/sec)

and I see on the master:

21-May-2014 16:34:12.031 client ip.address.of.slave#48600/key tsig-key (example.net): zone transfer example.net/AXFR/IN' denied

What am I missing?


More information about the bind-users mailing list