XFRIN/TSIG fails from NSD (primary) server: TSIG verify fail: FORMERR
Christian 'wiwi' Wittenhorst
wiwi at progon.net
Sat Sep 1 17:33:40 UTC 2012
On 2012-09-01 18:14, JINMEI Tatuya / 神明達哉 wrote:
> If it's an experimental setup, I'd first try to remove the TSIG
> configuration and see if it works. I'd also check whether there's any
> TSIG related error logged at the primary (NSD) side.
Works fine without TSIG. BUT: other zones (as "as34288.ch." or
"32.234.46.in-addr.arpa.") WORK FINE on the same server WITH TSIG
ENABLED (same source, identical setup).
There are no log entries on the NSD side.
Bind10 seems to close the connection BEFORE the AXFR is complete (see
attachment!).
The zone as34288.net seems to be special, something causes the
validation or the transfer to fail.
I enabled XFR from everywhere. Feel free to test yourself:
dig as34288.net axfr @adns0.as34288.net -y
hmac-sha256:xxx:5wQxhqUgK4NKA3CBZtx5Z06CLGuhFL5QMv2qQBJ5jls=
Bind10 version is "bind10-devel-20120816".
Best regards,
Christian
> config show all
Boss/components/b10-cmdctl/special "cmdctl" string
Boss/components/b10-cmdctl/process null string
Boss/components/b10-cmdctl/kind "needed" string
Boss/components/b10-cmdctl/address null string
Boss/components/b10-cmdctl/params [] list
Boss/components/b10-cmdctl/priority null integer
Boss/components/b10-auth-0/special "auth" string
Boss/components/b10-auth-0/process null string
Boss/components/b10-auth-0/kind "needed" string
Boss/components/b10-auth-0/address null string
Boss/components/b10-auth-0/params [] list
Boss/components/b10-auth-0/priority 10 integer
Boss/components/b10-stats/special null string
Boss/components/b10-stats/process null string
Boss/components/b10-stats/kind "dispensable" string
Boss/components/b10-stats/address "Stats" string
Boss/components/b10-stats/params [] list
Boss/components/b10-stats/priority null integer
Boss/components/b10-xfrin/special null string
Boss/components/b10-xfrin/process null string
Boss/components/b10-xfrin/kind "needed" string
Boss/components/b10-xfrin/address null string
Boss/components/b10-xfrin/params [] list
Boss/components/b10-xfrin/priority 10 integer
Boss/components/b10-zonemgr/special null string
Boss/components/b10-zonemgr/process null string
Boss/components/b10-zonemgr/kind "needed" string
Boss/components/b10-zonemgr/address null string
Boss/components/b10-zonemgr/params [] list
Boss/components/b10-zonemgr/priority 10 integer
Boss/components/b10-auth-1/special "auth" string
Boss/components/b10-auth-1/process null string
Boss/components/b10-auth-1/kind "needed" string
Boss/components/b10-auth-1/address null string
Boss/components/b10-auth-1/params [] list
Boss/components/b10-auth-1/priority 10 integer
Zonemgr/lowerbound_refresh 10 integer (default)
Zonemgr/lowerbound_retry 5 integer (default)
Zonemgr/max_transfer_timeout 14400 integer (default)
Zonemgr/refresh_jitter 0.25 real (default)
Zonemgr/reload_jitter 0.75 real (default)
Zonemgr/secondary_zones[0]/class "IN" string (default)
Zonemgr/secondary_zones[0]/name "as34288.net" string
Zonemgr/secondary_zones[1]/class "IN" string (default)
Zonemgr/secondary_zones[1]/name "32.234.46.in-addr.arpa" string
Zonemgr/secondary_zones[2]/class "IN" string (default)
Zonemgr/secondary_zones[2]/name "as34288.ch" string
Cmdctl/key_file "/opt/bind10/etc/bind10-devel/cmdctl-keyfile.pem" string
(default)
Cmdctl/cert_file "/opt/bind10/etc/bind10-devel/cmdctl-certfile.pem"
string (default)
Cmdctl/accounts_file "/opt/bind10/etc/bind10-devel/cmdctl-accounts.csv"
string (default)
tsig_keys/keys[0]
"xxx:5wQxhqUgK4NKA3CBZtx5Z06CLGuhFL5QMv2qQBJ5jls=:hmac-sha256" string
Auth/database_file "/opt/bind10/var/bind10-devel/zone.sqlite3"
string (default)
Auth/datasources [] list (default)
Auth/statistics-interval 60 integer (default)
Auth/listen_on[0]/address "::" string (default)
Auth/listen_on[0]/port 53 integer (default)
Auth/listen_on[1]/address "0.0.0.0" string (default)
Auth/listen_on[1]/port 53 integer (default)
data_sources/classes/IN[0]/type "sqlite3" string (default)
data_sources/classes/IN[0]/params {"database_file":
"/opt/bind10/var/bind10-devel/zone.sqlite3"} any (default)
data_sources/classes/IN[0]/cache-enable false boolean (default)
data_sources/classes/IN[0]/cache-zones [] list
data_sources/classes/CH[0]/type "static" string (default)
data_sources/classes/CH[0]/params
"/opt/bind10/share/bind10-devel/static.zone" any (default)
data_sources/classes/CH[0]/cache-enable false boolean (default)
data_sources/classes/CH[0]/cache-zones [] list
Logging/loggers[0]/name "*" string
Logging/loggers[0]/severity "DEBUG" string
Logging/loggers[0]/debuglevel 40 integer
Logging/loggers[0]/additive false boolean
Logging/loggers[0]/output_options[0]/destination "file" string
Logging/loggers[0]/output_options[0]/output "/tmp/bind10-debug.log"
string
Logging/loggers[0]/output_options[0]/flush true boolean
Logging/loggers[0]/output_options[0]/maxsize 1048576 integer
Logging/loggers[0]/output_options[0]/maxver 16 integer
Xfrin/transfers_in 10 integer (default)
Xfrin/zones[0]/name "as34288.net" string
Xfrin/zones[0]/class "IN" string (default)
Xfrin/zones[0]/master_addr "81.94.123.20" string
Xfrin/zones[0]/master_port 53 integer (default)
Xfrin/zones[0]/tsig_key
"xxx:5wQxhqUgK4NKA3CBZtx5Z06CLGuhFL5QMv2qQBJ5jls=:hmac-sha256" string
Xfrin/zones[0]/use_ixfr false boolean (default)
Xfrin/zones[1]/name "32.234.46.in-addr.arpa" string
Xfrin/zones[1]/class "IN" string (default)
Xfrin/zones[1]/master_addr "81.94.123.20" string
Xfrin/zones[1]/master_port 53 integer (default)
Xfrin/zones[1]/tsig_key
"xxx:5wQxhqUgK4NKA3CBZtx5Z06CLGuhFL5QMv2qQBJ5jls=:hmac-sha256" string
Xfrin/zones[1]/use_ixfr false boolean (default)
Xfrin/zones[2]/name "as34288.ch" string
Xfrin/zones[2]/class "IN" string (default)
Xfrin/zones[2]/master_addr "81.94.123.20" string
Xfrin/zones[2]/master_port 53 integer (default)
Xfrin/zones[2]/tsig_key
"xxx:5wQxhqUgK4NKA3CBZtx5Z06CLGuhFL5QMv2qQBJ5jls=:hmac-sha256" string
Xfrin/zones[2]/use_ixfr false boolean (default)
2012-09-01 18:38:26.409 INFO [b10-xfrin.xfrin]
XFRIN_XFR_TRANSFER_STARTED AXFR transfer of zone as34288.ch/IN started
2012-09-01 18:38:26.483 DEBUG [b10-xfrin.xfrin]
XFRIN_GOT_NONINCREMENTAL_RESP got nonincremental response for as34288.ch/IN
2012-09-01 18:38:26.483 DEBUG [b10-xfrin.datasrc] DATASRC_SQLITE_NEWCONN
SQLite3Database is being initialized
2012-09-01 18:38:26.483 DEBUG [b10-xfrin.datasrc]
DATASRC_SQLITE_CONNOPEN Opening sqlite database file
'/opt/bind10/var/bind10-devel/zone.sqlite3'
2012-09-01 18:38:26.534 DEBUG [b10-xfrin.datasrc]
DATASRC_SQLITE_DROPCONN SQLite3Database is being deinitialized
2012-09-01 18:38:26.534 DEBUG [b10-xfrin.datasrc]
DATASRC_SQLITE_CONNCLOSE Closing sqlite database
2012-09-01 18:38:26.535 INFO [b10-xfrin.xfrin] XFRIN_TRANSFER_SUCCESS
full AXFR transfer of zone as34288.ch/IN succeeded (messages: 1,
records: 58, bytes: 6824, run time: 0.150 seconds, 45547 bytes/second)
2012-09-01 18:38:26.535 DEBUG [b10-xfrin.xfrin] XFRIN_AUTH_LOADZONE
sending Auth loadzone for origin=as34288.ch., class=IN
2012-09-01 18:38:26.535 DEBUG [b10-auth.auth] AUTH_RECEIVED_COMMAND
command 'loadzone' received
2012-09-01 18:38:26.535 ERROR [b10-auth.auth] AUTH_COMMAND_FAILED
execution of command channel instruction 'loadzone' failed: Zone
as34288.ch./IN is not served from memory, but direcly from the data
source. It is not possible to reload it into memory. Configure it to be
cached first.
2012-09-01 18:38:26.536 DEBUG [b10-auth.auth] AUTH_RECEIVED_COMMAND
command 'loadzone' received
2012-09-01 18:38:26.536 ERROR [b10-auth.auth] AUTH_COMMAND_FAILED
execution of command channel instruction 'loadzone' failed: Zone
as34288.ch./IN is not served from memory, but direcly from the data
source. It is not possible to reload it into memory. Configure it to be
cached first.
nsd config:
zone:
name: as34288.net
zonefile: secondary/as34288.net
allow-notify: 127.0.0.1 NOKEY
allow-notify: ::1 NOKEY
allow-notify: 109.233.182.9 NOKEY
request-xfr: 109.233.182.9 NOKEY
include: /etc/nsd/xfr-allowed.list
include: /etc/nsd/notify.list
zone:
name: as34288.ch
zonefile: secondary/as34288.ch
allow-notify: 127.0.0.1 NOKEY
allow-notify: ::1 NOKEY
allow-notify: 109.233.182.9 NOKEY
request-xfr: 109.233.182.9 NOKEY
include: /etc/nsd/xfr-allowed.list
include: /etc/nsd/notify.list
More information about the bind10-users
mailing list