TSIG for the Xfrin module?
Spain, Dr. Jeffry A.
spainj at countryday.net
Thu Dec 8 19:02:37 UTC 2011
>This is not a valid TSIG configuration for Xfrin it should be something like:
> config set Xfrin/zones[0]/tsig_key nstest.key:<base64-key>
>If you want to use hmac-sha256...
> ...it would be:
> config set Xfrin/zones[0]/tsig_key nstest.key:<base64-key>:sha-256.
The above did not work, but after some trial and error I was successful with the following:
config set tsig_keys/keys ["nstest.key:QfnnmDaWwWzanr3u+/hjqSfiMxPv03/k4S/3CdtND1k=:hmac-sha256"]
config set Xfrin/zones[0]/tsig_key "nstest.key:QfnnmDaWwWzanr3u+/hjqSfiMxPv03/k4S/3CdtND1k=:hmac-sha256"
I also tried to add the ACL you suggested:
config set Xfrin/zones[0]/transfer_acl [{"action": "ACCEPT", "from": "2001:4870:20ca:158:4423:f19d:4ead:5c20", "key": "nstest.key"}]
This resulted in the error message "Error: /Xfrin/zones[0]/transfer_acl not found". Perhaps the ACL is not required or the syntax should be something different?
Here's the resulting bind10 configuration:
> config show tsig_keys/keys
tsig_keys/keys[0] "nstest.key:QfnnmDaWwWzanr3u+/hjqSfiMxPv03/k4S/3CdtND1k=:hmac-sha256" string
> config show Zonemgr/secondary_zones[0]
Zonemgr/secondary_zones[0]/class "IN" string
Zonemgr/secondary_zones[0]/name "jaspain.net" string
> config show Xfrin/zones[0]
Xfrin/zones[0]/name "jaspain.net" string
Xfrin/zones[0]/class "IN" string (default)
Xfrin/zones[0]/master_addr "2001:4870:20ca:158:4423:f19d:4ead:5c20" string
Xfrin/zones[0]/master_port 53 integer (default)
Xfrin/zones[0]/tsig_key "nstest.key:QfnnmDaWwWzanr3u+/hjqSfiMxPv03/k4S/3CdtND1k=:hmac-sha256" string
Xfrin/zones[0]/use_ixfr false boolean (default)
> config show all Logging/loggers
Logging/loggers[0]/name "*" string
Logging/loggers[0]/severity "DEBUG" string
Logging/loggers[0]/debuglevel 40 integer
Logging/loggers[0]/additive false boolean (default)
Logging/loggers[0]/output_options[0]/destination "file" string
Logging/loggers[0]/output_options[0]/output "/var/log/bind10.log" string
Logging/loggers[0]/output_options[0]/flush true boolean
Logging/loggers[0]/output_options[0]/maxsize 1048576 integer
Logging/loggers[0]/output_options[0]/maxver 16 integer
Following this I did an update on the bind9 master, and captured the resulting nework traffic with tcpdump. The master sent a notify message to the bind10 slave, and the slave responded with an error "Bad key (17)". The key configured on the bind9 master is as follows:
key nstest-bind10.jaspain.net. {
algorithm hmac-sha256;
secret "QfnnmDaWwWzanr3u+/hjqSfiMxPv03/k4S/3CdtND1k=";
};
server 2001:4870:20ca:158:14ff:7695:9632:e9ec {
keys { nstest-bind10.jaspain.net. ; };
};
I don't know what the problem with the key might be. Perhaps there is something wrong with my syntax above in specifying the key on bind10 -- it does work between two bind9 servers. What do you suggest?
Also despite logging being set to DEBUG level 40 on bind10, there were no log entries recorded in relation to this failed update. I'm not sure what is going on there. The last log entries are from 4 hours ago when I configured the keys.
Thanks for any additional recommendations you may have. Jeff.
More information about the bind10-users
mailing list