rndc TSIG problem in 9.1.3
Sasso, John IT
JSasso at mvphealthcare.com
Wed Oct 10 13:30:19 UTC 2001
We have two nameservers (name1 - 10.1.1.1, name2 - 10.1.1.2), one primary
(name1) and the other secondary (name2), that are both running BIND 9.1.3.
Following the BIND book, I set up the rndc.conf and rndc.keys files on name1
and name2 so that rndc can be used from name1 to manage name2 (e.g. rndc -s
name2 reload). However, I get the following errors when trying to run rndc
from name1:
/etc> rndc -s name2 reload
rndc: operation failed: verify failure (failed to verify signature)
rndc: reload command failure: verify failure
/etc> rndc -y name2-key -s name2 reload
rndc: send remote authenticator: permission denied
I should note that doing 'rndc reload' (or the like) on each server itself
works A-OK. It's remote rndc control I'm having trouble with, and I'd
appreciate any help in troubleshooting this problem. The time on both name1
and name2 are in sync (to the second), so I know time is not an issue. The
config files for each nameserver are shown below:
+------ rndc.conf on name1 (primary) -----------------------+
options {
default-server localhost;
default-key "rndc-key";
};
/* Define key to use for local nameserver
server localhost {
key "rndc-key";
};
/* Define key to use for 2ndary nameserver - name2.mvphealthplan.com
server name2.mvphealthplan.com {
key "name2-key";
};
/* Name of default key for rndc to send to nameserver over control channel
*/
key "rndc-key" {
algorithm hmac-md5;
secret "XXXXXXXXXXXXXXXXXXXXXXXX==";
};
/* Name of key for rndc to send to 2ndary nameserver over control channel */
key "name2-key" {
algorithm hmac-md5;
secret "YYYYYYYYYYYYYYYYYYY==";
};
+----------------- rndc.key on name1 (primary)
---------------------------+
key "rndc-key" {
algorithm hmac-md5;
secret "XXXXXXXXXXXXXXXXXXXXXXXX==";
};
+------------------ Portion of named.conf on name1 (primary)
--------------------------+
controls {
inet * allow { any; } keys { "rndc-key"; };
};
include "/etc/rndc.key";
+------ rndc.conf on name2 (secondary) -----------------------+
options {
default-server localhost;
default-key "rndc-key";
};
/* Define key to use for local nameserver
server localhost {
key "rndc-key";
};
/* Name of default key for rndc to send to nameserver over control channel
*/
key "rndc-key" {
algorithm hmac-md5;
secret "YYYYYYYYYYYYYYYYYYY==";
};
+----------------- rndc.key on name2 (secondary)
------------------------------+
key "rndc-key" {
algorithm hmac-md5;
secret "YYYYYYYYYYYYYYYYYYY==";
};
+----------------------- Portion of named.conf on name2 (secondary)
-------------------------+
controls {
inet * allow { any; } keys { "rndc-key"; };
};
include "/etc/rndc.key";
More information about the bind-users
mailing list