TSIG afxr failed while receiving responses: REFUSED

Mark Andrews marka at isc.org
Sun May 25 21:58:48 UTC 2014


I suggest that you stop obfuscating the details.  Errors like this are
almost always in the details.  Hide the secret ('x' it out) but nothing
else.  The spelling of key names is important (they must match exactly)
as are the IP addresses.

Did you reload both servers after updating them.  Did you update
the correct instances of named.conf.  It is easy to update the wrong
instance when you are using chroot (-t).

Mark

In message <87ppj19a7l.fsf at muck.riseup.net>, micah writes:
> 
> 
> Hi,
> 
> I've been struggling to get TSIG setup for securing the AXFR of my zone
> transfers from the master to the secondaries. I've tried what feels like
> everything I can think of, but I am still unable to get it to work
> right. I must be missing something, and I hope that the bind community
> can tell me what it is.
> 
> I'm using the new 9.10 version of bind, so I created the tsig file on
> the master by doing tsig-keygen > /etc/bind/tsig.keys, it looks like
> this:
> 
> key "tsig-key" {
>         algorithm hmac-sha256;
>         secret "weeetsigblobhere=";
> };
> 
> my named.conf has:
> 
> include "/etc/bind/rndc.key";
> include "/etc/bind/tsig.keys";
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> 
> and my named.conf.options has:
> 
> zone "example.net" {
>         type master;
>         allow-transfer { key tsig.key.; };
>         also-notify { ip.address.here.x; };
>         file "/etc/bind/master/db.example";
>         auto-dnssec maintain;
>         inline-signing yes;
> };
> 
> on the slave I have copied over the tsig.keys file and added to the
> bottom of it:
> 
> key "tsig-key" {
>         algorithm hmac-sha256;
>         secret "weeetsigblobhere=";
> };
> 
> server ip.of.master.here {
>  keys { "tsig-key"; };
> };
> 
> 
> now when I try to do a zone transfer:
> 
> root at owl:/etc/bind# rndc retransfer example.net
> 21-May-2014 09:34:11.828 received control channel command 'retransfer example
> .net'
> 21-May-2014 09:34:11.907 zone example.net/IN: Transfer started.
> 21-May-2014 09:34:11.987 transfer of 'example.net/IN' from ip.address.of.mast
> er#53: connected using ip.address.of.slave#48600
> 21-May-2014 09:34:12.068 transfer of 'example.net/IN' from ip.address.of.mast
> er#53: failed while receiving responses: REFUSED
> 21-May-2014 09:34:12.068 transfer of 'example.net/IN' from ip.address.of.mast
> er#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.080 secs (0 byte
> s/sec)
> 
> and I see on the master:
> 
> 21-May-2014 16:34:12.031 client ip.address.of.slave#48600/key tsig-key (examp
> le.net): zone transfer example.net/AXFR/IN' denied
> 
> What am I missing?
> 
> thanks!
> micah
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the bind-users mailing list