TSIG for the Xfrin module?

Thu Dec 8 19:02:37 UTC 2011

>This is not a valid TSIG configuration for Xfrin it should be something like:
> config set Xfrin/zones[0]/tsig_key nstest.key:<base64-key>
>If you want to use hmac-sha256...
> ...it would be:
> config set Xfrin/zones[0]/tsig_key nstest.key:<base64-key>:sha-256.

The above did not work, but after some trial and error I was successful with the following:
config set tsig_keys/keys ["nstest.key:QfnnmDaWwWzanr3u+/hjqSfiMxPv03/k4S/3CdtND1k=:hmac-sha256"]
config set Xfrin/zones[0]/tsig_key "nstest.key:QfnnmDaWwWzanr3u+/hjqSfiMxPv03/k4S/3CdtND1k=:hmac-sha256"

I also tried to add the ACL you suggested:
config set Xfrin/zones[0]/transfer_acl [{"action": "ACCEPT", "from": "2001:4870:20ca:158:4423:f19d:4ead:5c20", "key": "nstest.key"}]
This resulted in the error message "Error: /Xfrin/zones[0]/transfer_acl not found". Perhaps the ACL is not required or the syntax should be something different?

Here's the resulting bind10 configuration:
> config show tsig_keys/keys
tsig_keys/keys[0]       "nstest.key:QfnnmDaWwWzanr3u+/hjqSfiMxPv03/k4S/3CdtND1k=:hmac-sha256"   string
> config show Zonemgr/secondary_zones[0]
Zonemgr/secondary_zones[0]/class        "IN"    string
Zonemgr/secondary_zones[0]/name "jaspain.net"   string
> config show Xfrin/zones[0]
Xfrin/zones[0]/name     "jaspain.net"   string
Xfrin/zones[0]/class    "IN"    string  (default)
Xfrin/zones[0]/master_addr      "2001:4870:20ca:158:4423:f19d:4ead:5c20"        string
Xfrin/zones[0]/master_port      53      integer (default)
Xfrin/zones[0]/tsig_key "nstest.key:QfnnmDaWwWzanr3u+/hjqSfiMxPv03/k4S/3CdtND1k=:hmac-sha256"   string
Xfrin/zones[0]/use_ixfr false   boolean (default)
> config show all Logging/loggers
Logging/loggers[0]/name "*"     string
Logging/loggers[0]/severity     "DEBUG" string
Logging/loggers[0]/debuglevel   40      integer
Logging/loggers[0]/additive     false   boolean (default)
Logging/loggers[0]/output_options[0]/destination        "file"  string
Logging/loggers[0]/output_options[0]/output     "/var/log/bind10.log"   string
Logging/loggers[0]/output_options[0]/flush      true    boolean
Logging/loggers[0]/output_options[0]/maxsize    1048576 integer
Logging/loggers[0]/output_options[0]/maxver     16      integer

Following this I did an update on the bind9 master, and captured the resulting nework traffic with tcpdump. The master sent a notify message to the bind10 slave, and the slave responded with an error "Bad key (17)". The key configured on the bind9 master is as follows:
key nstest-bind10.jaspain.net. {
        algorithm hmac-sha256;
        secret "QfnnmDaWwWzanr3u+/hjqSfiMxPv03/k4S/3CdtND1k=";
};

server 2001:4870:20ca:158:14ff:7695:9632:e9ec {
        keys { nstest-bind10.jaspain.net. ; };
};

I don't know what the problem with the key might be. Perhaps there is something wrong with my syntax above in specifying the key on bind10 -- it does work between two bind9 servers. What do you suggest?

Also despite logging being set to DEBUG level 40 on bind10, there were no log entries recorded in relation to this failed update. I'm not sure what is going on there. The last log entries are from 4 hours ago when I configured the keys.

Thanks for any additional recommendations you may have. Jeff.