TSIG for the Xfrin module?

JINMEI Tatuya / 神明達哉 jinmei at isc.org
Thu Dec 8 19:25:24 UTC 2011


At Thu, 8 Dec 2011 19:02:37 +0000,
"Spain, Dr. Jeffry A." <spainj at countryday.net> wrote:

> The above did not work, but after some trial and error I was successful with the following:
> config set tsig_keys/keys ["nstest.key:QfnnmDaWwWzanr3u+/hjqSfiMxPv03/k4S/3CdtND1k=:hmac-sha256"]
> config set Xfrin/zones[0]/tsig_key "nstest.key:QfnnmDaWwWzanr3u+/hjqSfiMxPv03/k4S/3CdtND1k=:hmac-sha256"
> 
> I also tried to add the ACL you suggested:
> config set Xfrin/zones[0]/transfer_acl [{"action": "ACCEPT", "from": "2001:4870:20ca:158:4423:f19d:4ead:5c20", "key": "nstest.key"}]
> This resulted in the error message "Error: /Xfrin/zones[0]/transfer_acl not found". Perhaps the ACL is not required or the syntax should be something different?

Hmm, did I really suggest an ACL for xfrin?  Maybe I confused you, but
no, ACL is not required for xfrin; in fact it doesn't make sense
because xfrin is a "client" (ACLs are generally for "servers").

Also, I suspect you don't have to specify the global tsig_keys/keys
for this purpose (you'll need it for TSIG + xfrout), although it
should be harmless.

> Here's the resulting bind10 configuration:

> Xfrin/zones[0]/tsig_key "nstest.key:QfnnmDaWwWzanr3u+/hjqSfiMxPv03/k4S/3CdtND1k=:hmac-sha256"   string

> server 2001:4870:20ca:158:14ff:7695:9632:e9ec {
>         keys { nstest-bind10.jaspain.net. ; };
> };

> I don't know what the problem with the key might be. Perhaps there is something wrong with my syntax above in specifying the key on bind10 -- it does work between two bind9 servers. What do you suggest?

These TSIG key names must be identical.  If you specify "nstest.key"
in one configuration, you should specify the same name for the other,
not (e.g.) "nstest-bind10.jaspain.net", or vice versa.

> Also despite logging being set to DEBUG level 40 on bind10, there were no log entries recorded in relation to this failed update. I'm not sure what is going on there. The last log entries are from 4 hours ago when I configured the keys.

Hmm, that's strange.  At least according to the source code, it should
be logged with the ID XFRIN_XFR_TRANSFER_FAILURE at the log level of
"error".

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.



More information about the bind10-users mailing list