XFRIN/TSIG fails from NSD (primary) server: TSIG verify fail: FORMERR

Christian 'wiwi' Wittenhorst wiwi at progon.net
Sat Sep 1 17:33:40 UTC 2012 

On 2012-09-01 18:14, JINMEI Tatuya / 神明達哉 wrote:

> If it's an experimental setup, I'd first try to remove the TSIG
> configuration and see if it works.  I'd also check whether there's any
> TSIG related error logged at the primary (NSD) side.

Works fine without TSIG. BUT: other zones (as "as34288.ch." or 
"32.234.46.in-addr.arpa.") WORK FINE on the same server WITH TSIG 
ENABLED (same source, identical setup).

There are no log entries on the NSD side.

Bind10 seems to close the connection BEFORE the AXFR is complete (see 
attachment!).

The zone as34288.net seems to be special, something causes the 
validation or the transfer to fail.

I enabled XFR from everywhere. Feel free to test yourself:

dig as34288.net axfr @adns0.as34288.net -y 
hmac-sha256:xxx:5wQxhqUgK4NKA3CBZtx5Z06CLGuhFL5QMv2qQBJ5jls=

Bind10 version is "bind10-devel-20120816".

Best regards,

	Christian

  > config show all
Boss/components/b10-cmdctl/special      "cmdctl"        string
Boss/components/b10-cmdctl/process      null    string
Boss/components/b10-cmdctl/kind "needed"        string
Boss/components/b10-cmdctl/address      null    string
Boss/components/b10-cmdctl/params       []      list
Boss/components/b10-cmdctl/priority     null    integer
Boss/components/b10-auth-0/special      "auth"  string
Boss/components/b10-auth-0/process      null    string
Boss/components/b10-auth-0/kind "needed"        string
Boss/components/b10-auth-0/address      null    string
Boss/components/b10-auth-0/params       []      list
Boss/components/b10-auth-0/priority     10      integer
Boss/components/b10-stats/special       null    string
Boss/components/b10-stats/process       null    string
Boss/components/b10-stats/kind  "dispensable"   string
Boss/components/b10-stats/address       "Stats" string
Boss/components/b10-stats/params        []      list
Boss/components/b10-stats/priority      null    integer
Boss/components/b10-xfrin/special       null    string
Boss/components/b10-xfrin/process       null    string
Boss/components/b10-xfrin/kind  "needed"        string
Boss/components/b10-xfrin/address       null    string
Boss/components/b10-xfrin/params        []      list
Boss/components/b10-xfrin/priority      10      integer
Boss/components/b10-zonemgr/special     null    string
Boss/components/b10-zonemgr/process     null    string
Boss/components/b10-zonemgr/kind        "needed"        string
Boss/components/b10-zonemgr/address     null    string
Boss/components/b10-zonemgr/params      []      list
Boss/components/b10-zonemgr/priority    10      integer
Boss/components/b10-auth-1/special      "auth"  string
Boss/components/b10-auth-1/process      null    string
Boss/components/b10-auth-1/kind "needed"        string
Boss/components/b10-auth-1/address      null    string
Boss/components/b10-auth-1/params       []      list
Boss/components/b10-auth-1/priority     10      integer
Zonemgr/lowerbound_refresh      10      integer (default)
Zonemgr/lowerbound_retry        5       integer (default)
Zonemgr/max_transfer_timeout    14400   integer (default)
Zonemgr/refresh_jitter  0.25    real    (default)
Zonemgr/reload_jitter   0.75    real    (default)
Zonemgr/secondary_zones[0]/class        "IN"    string  (default)
Zonemgr/secondary_zones[0]/name "as34288.net"   string
Zonemgr/secondary_zones[1]/class        "IN"    string  (default)
Zonemgr/secondary_zones[1]/name "32.234.46.in-addr.arpa"        string
Zonemgr/secondary_zones[2]/class        "IN"    string  (default)
Zonemgr/secondary_zones[2]/name "as34288.ch"    string
Cmdctl/key_file "/opt/bind10/etc/bind10-devel/cmdctl-keyfile.pem" string 
  (default)
Cmdctl/cert_file "/opt/bind10/etc/bind10-devel/cmdctl-certfile.pem" 
  string  (default)
Cmdctl/accounts_file "/opt/bind10/etc/bind10-devel/cmdctl-accounts.csv" 
      string  (default)
tsig_keys/keys[0] 
"xxx:5wQxhqUgK4NKA3CBZtx5Z06CLGuhFL5QMv2qQBJ5jls=:hmac-sha256"  string
Auth/database_file      "/opt/bind10/var/bind10-devel/zone.sqlite3" 
string  (default)
Auth/datasources        []      list    (default)
Auth/statistics-interval        60      integer (default)
Auth/listen_on[0]/address       "::"    string  (default)
Auth/listen_on[0]/port  53      integer (default)
Auth/listen_on[1]/address       "0.0.0.0"       string  (default)
Auth/listen_on[1]/port  53      integer (default)
data_sources/classes/IN[0]/type "sqlite3"       string  (default)
data_sources/classes/IN[0]/params       {"database_file": 
"/opt/bind10/var/bind10-devel/zone.sqlite3"}  any     (default)
data_sources/classes/IN[0]/cache-enable false   boolean (default)
data_sources/classes/IN[0]/cache-zones  []      list
data_sources/classes/CH[0]/type "static"        string  (default)
data_sources/classes/CH[0]/params 
"/opt/bind10/share/bind10-devel/static.zone"    any     (default)
data_sources/classes/CH[0]/cache-enable false   boolean (default)
data_sources/classes/CH[0]/cache-zones  []      list
Logging/loggers[0]/name "*"     string
Logging/loggers[0]/severity     "DEBUG" string
Logging/loggers[0]/debuglevel   40      integer
Logging/loggers[0]/additive     false   boolean
Logging/loggers[0]/output_options[0]/destination        "file"  string
Logging/loggers[0]/output_options[0]/output     "/tmp/bind10-debug.log" 
string
Logging/loggers[0]/output_options[0]/flush      true    boolean
Logging/loggers[0]/output_options[0]/maxsize    1048576 integer
Logging/loggers[0]/output_options[0]/maxver     16      integer
Xfrin/transfers_in      10      integer (default)
Xfrin/zones[0]/name     "as34288.net"   string
Xfrin/zones[0]/class    "IN"    string  (default)
Xfrin/zones[0]/master_addr      "81.94.123.20"  string
Xfrin/zones[0]/master_port      53      integer (default)
Xfrin/zones[0]/tsig_key 
"xxx:5wQxhqUgK4NKA3CBZtx5Z06CLGuhFL5QMv2qQBJ5jls=:hmac-sha256"  string
Xfrin/zones[0]/use_ixfr false   boolean (default)
Xfrin/zones[1]/name     "32.234.46.in-addr.arpa"        string
Xfrin/zones[1]/class    "IN"    string  (default)
Xfrin/zones[1]/master_addr      "81.94.123.20"  string
Xfrin/zones[1]/master_port      53      integer (default)
Xfrin/zones[1]/tsig_key 
"xxx:5wQxhqUgK4NKA3CBZtx5Z06CLGuhFL5QMv2qQBJ5jls=:hmac-sha256"  string
Xfrin/zones[1]/use_ixfr false   boolean (default)
Xfrin/zones[2]/name     "as34288.ch"    string
Xfrin/zones[2]/class    "IN"    string  (default)
Xfrin/zones[2]/master_addr      "81.94.123.20"  string
Xfrin/zones[2]/master_port      53      integer (default)
Xfrin/zones[2]/tsig_key 
"xxx:5wQxhqUgK4NKA3CBZtx5Z06CLGuhFL5QMv2qQBJ5jls=:hmac-sha256"  string
Xfrin/zones[2]/use_ixfr false   boolean (default)

2012-09-01 18:38:26.409 INFO  [b10-xfrin.xfrin] 
XFRIN_XFR_TRANSFER_STARTED AXFR transfer of zone as34288.ch/IN started
2012-09-01 18:38:26.483 DEBUG [b10-xfrin.xfrin] 
XFRIN_GOT_NONINCREMENTAL_RESP got nonincremental response for as34288.ch/IN
2012-09-01 18:38:26.483 DEBUG [b10-xfrin.datasrc] DATASRC_SQLITE_NEWCONN 
SQLite3Database is being initialized
2012-09-01 18:38:26.483 DEBUG [b10-xfrin.datasrc] 
DATASRC_SQLITE_CONNOPEN Opening sqlite database file 
'/opt/bind10/var/bind10-devel/zone.sqlite3'
2012-09-01 18:38:26.534 DEBUG [b10-xfrin.datasrc] 
DATASRC_SQLITE_DROPCONN SQLite3Database is being deinitialized
2012-09-01 18:38:26.534 DEBUG [b10-xfrin.datasrc] 
DATASRC_SQLITE_CONNCLOSE Closing sqlite database
2012-09-01 18:38:26.535 INFO  [b10-xfrin.xfrin] XFRIN_TRANSFER_SUCCESS 
full AXFR transfer of zone as34288.ch/IN succeeded (messages: 1, 
records: 58, bytes: 6824, run time: 0.150 seconds, 45547 bytes/second)
2012-09-01 18:38:26.535 DEBUG [b10-xfrin.xfrin] XFRIN_AUTH_LOADZONE 
sending Auth loadzone for origin=as34288.ch., class=IN
2012-09-01 18:38:26.535 DEBUG [b10-auth.auth] AUTH_RECEIVED_COMMAND 
command 'loadzone' received
2012-09-01 18:38:26.535 ERROR [b10-auth.auth] AUTH_COMMAND_FAILED 
execution of command channel instruction 'loadzone' failed: Zone 
as34288.ch./IN is not served from memory, but direcly from the data 
source. It is not possible to reload it into memory. Configure it to be 
cached first.
2012-09-01 18:38:26.536 DEBUG [b10-auth.auth] AUTH_RECEIVED_COMMAND 
command 'loadzone' received
2012-09-01 18:38:26.536 ERROR [b10-auth.auth] AUTH_COMMAND_FAILED 
execution of command channel instruction 'loadzone' failed: Zone 
as34288.ch./IN is not served from memory, but direcly from the data 
source. It is not possible to reload it into memory. Configure it to be 
cached first.

nsd config:

zone:
          name: as34288.net
          zonefile: secondary/as34288.net
          allow-notify: 127.0.0.1 NOKEY
          allow-notify: ::1 NOKEY
          allow-notify: 109.233.182.9 NOKEY
          request-xfr:  109.233.182.9 NOKEY
          include: /etc/nsd/xfr-allowed.list
          include: /etc/nsd/notify.list

zone:
          name: as34288.ch
          zonefile: secondary/as34288.ch
          allow-notify: 127.0.0.1 NOKEY
          allow-notify: ::1 NOKEY
          allow-notify: 109.233.182.9 NOKEY
          request-xfr:  109.233.182.9 NOKEY
          include: /etc/nsd/xfr-allowed.list
          include: /etc/nsd/notify.list

More information about the bind10-users mailing list