TSIG for the Xfrin module?
JINMEI Tatuya / 神明達哉
jinmei at isc.org
Fri Dec 9 05:09:41 UTC 2011
At Fri, 9 Dec 2011 03:39:00 +0000,
"Spain, Dr. Jeffry A." <spainj at countryday.net> wrote:
> I restarted bind10, and then the zone did load. The bind9 log showed the TSIG key being used:
> Dec 8 21:51:34 nstest named[807]: client 2001:4870:20ca:158:14ff:7695:9632:e9ec#48301/key nstest-bind10 (jaspain.net): transfer of 'jaspain.net/IN': AXFR started: TSIG nstest-bind10
> Dec 8 21:51:34 nstest named[807]: client 2001:4870:20ca:158:14ff:7695:9632:e9ec#48301/key nstest-bind10 (jaspain.net): transfer of 'jaspain.net/IN': AXFR ended
>
> The bind10 log also showed the zone transfer, but no mention of TSIG being used:
> 2011-12-08 22:05:49.002 INFO [b10-xfrin.xfrin] XFRIN_XFR_TRANSFER_STARTED AXFR transfer of zone jaspain.net/IN started
Hmm, good catch (btw this is simply because the log message doesn't
print TSIG information; it doesn't necessarily mean TSIG isn't used).
We should probably do the same as BIND 9.
> Next I did an 'rndc reload' on the bind9 master to see how a notify query would behave. Once again I got the "Bad key (17)" error in the response from bind10.
Ah, that's because you removed the global TSIG config. Notifies are
parsed and process by b10-auth, not xfrin, and b10-auth refers to the
global config for TSIGs, so to make notifies work you'll need to
specify it again.
Sorry for the confusion and inconvenience. We know it's not user
friendly. This will be improved in a (not far) future version.
---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
More information about the bind10-users
mailing list