<div dir="ltr">Hi Patrik. 9.9? Classic! :D<div>I don't believe there should be any incompatibilities. Are you perhaps falling foul of this? From Cricket's book, chapter 11</div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><div class="gmail-page" title="Page 308"><div class="gmail-section"><div class="gmail-layoutArea"><div class="gmail-column"><p><span style="font-size:10pt;font-family:Birka">It’s important that the name of the key—not just the binary data the key points to—
be identical on both ends of the transaction. If it’s not, the recipient tries to verify the
TSIG record and finds it doesn’t know the key that the TSIG record says was used to
compute the hash value. That causes errors such as the following:
</span></p></div></div></div></div></div><div><div class="gmail-page" title="Page 308"><div class="gmail-section"><div class="gmail-layoutArea"><div class="gmail-column"><p><span style="font-size:8pt;font-family:TheSansMonoCondensed">Jan 4 16:05:35 wormhole named[86705]: client 192.249.249.1#4666: request has invalid
signature: TSIG <a href="http://tsig-key.movie.edu">tsig-key.movie.edu</a>: tsig verify failure (BADKEY) </span></p></div></div></div></div></div></blockquote><div>I'd take packet captures of both cases and compare them, see what the differences are.</div><div>Hope that helps.</div><div>Greg</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 21 Feb 2023 at 16:06, Patrik.Graser--- via bind-users <<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="msg-3742343679617028129">
<div lang="SV">
<div class="m_-3742343679617028129WordSection1">
<p class="MsoNormal">Hi all<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span lang="EN-US">Due to circumstances beyond my control a remote partner needs to use a 9.9.9 version of bind and we are required to use HMAC-MD5 for zone transfers. There is no (big) security concern since the networks are isolated and
not exposed to the larger Internet.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">When the secondary requests an AXFR I see:<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9pt;font-family:"Lucida Console"">client @0xxxxxxxxxxxxx nnn.nnn.nnn.nnn#xxxxxx: request has invalid signature: TSIG <KEY>: tsig verify failure (BADSIG)<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Doing a dig directly (with the same key) I get the zone:<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9pt;font-family:"Lucida Console"">client @0xxxxxxxxxxxxx nnn.nnn.nnn.nnn#xxxxxx /key <KEY> (zone.tld): transfer of ‘zone.tld/IN': AXFR started: TSIG <KEY> (serial nnnn)<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Is there any known incompatibilities – preferably with workarounds :) - that anyone knows about?<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">I apologize in advance if the info is lacking but here are, what I consider, the relevant parts from named.conf:<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9pt;font-family:"Lucida Console"">key "<KEY>." {<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9pt;font-family:"Lucida Console""> algorithm hmac-md5;<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9pt;font-family:"Lucida Console""> secret "XXXXXXXXXXXXXXXXXXXXXX";<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9pt;font-family:"Lucida Console"">};<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9pt;font-family:"Lucida Console"">acl servers {<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9pt;font-family:"Lucida Console""> nnn.nnn.nnn.nnn;<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9pt;font-family:"Lucida Console""> nnn.nnn.nnn.nnn;<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9pt;font-family:"Lucida Console""> nnn.nnn.nnn.nnn;<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:9pt;font-family:"Lucida Console"">};<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:9pt;font-family:"Lucida Console""><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9pt;font-family:"Lucida Console"">acl transfer {<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9pt;font-family:"Lucida Console""> !servers;<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9pt;font-family:"Lucida Console""> !localhost;<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9pt;font-family:"Lucida Console""> !nnn.nnn.nnn.nnn;<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9pt;font-family:"Lucida Console""> any;<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9pt;font-family:"Lucida Console"">};<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9pt;font-family:"Lucida Console""><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9pt;font-family:"Lucida Console"">zone "zone.tld." IN {<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9pt;font-family:"Lucida Console""> type master;<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9pt;font-family:"Lucida Console""> file "/etc/bind/zones/zone.file";<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9pt;font-family:"Lucida Console""> allow-transfer { !transfer; key <KEY>.; };<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9pt;font-family:"Lucida Console"">};<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9pt;font-family:"Lucida Console""><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Again – sorry if this is insufficient information.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">It could be as simple as the remote not having everything in order but they swear up and down that they have checked, doublechecked and enlisted multiple persons in doing the checks.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"> <u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">I would appreciate any and all hints even if they are farfetched.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Best Regards<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Patrik Graeser<u></u><u></u></span></p>
</div>
</div>
-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</div></blockquote></div>