rndc TSIG problem in 9.1.3
Sasso, John IT
JSasso at mvphealthcare.com
Thu Oct 11 12:04:41 UTC 2001
Thanks, Cricket. I thought the key "name2-key" was simply treated as label
and was not sent over the control channel to the nameserver. My flub.
BTW, is the packet format/sructure of rndc packets sent documented anywhere?
-j
| -----Original Message-----
| From: Cricket Liu [mailto:cricket at menandmice.com]
| Sent: Wednesday, October 10, 2001 3:26 PM
| To: Sasso, John IT; bind-users at isc.org
| Subject: Re: rndc TSIG problem in 9.1.3
|
|
| > We have two nameservers (name1 - 10.1.1.1, name2 -
| 10.1.1.2), one primary
| > (name1) and the other secondary (name2), that are both
| running BIND 9.1.3.
| > Following the BIND book, I set up the rndc.conf and
| rndc.keys files on
| name1
| > and name2 so that rndc can be used from name1 to manage name2 (e.g.
| rndc -s
| > name2 reload). However, I get the following errors when
| trying to run
| rndc
| > from name1:
| >
| > /etc> rndc -s name2 reload
| > rndc: operation failed: verify failure (failed to verify signature)
| > rndc: reload command failure: verify failure
| >
| > /etc> rndc -y name2-key -s name2 reload
| > rndc: send remote authenticator: permission denied
|
| You're telling rndc to use the key name2-key (either
| explicitly, with -y, or
| using rndc.conf's server statement), but the named.conf file on name2
| says:
|
| > +----------------------- Portion of named.conf on name2 (secondary)
| > -------------------------+
| > controls {
| > inet * allow { any; } keys { "rndc-key"; };
| > };
|
| That is, allow the key named rndc-key. The key names don't match.
|
| cricket
|
| Men & Mice
| DNS Software & Services
| www.menandmice.com
|
|
More information about the bind-users
mailing list