TSIG fails intermittently but dig works

Mark Andrews marka at isc.org
Thu Mar 25 21:00:37 UTC 2010 

In message <OFF7240F74.A2C76455-ON062576F1.0068F1EA-062576F1.006C5726 at sasktel.s
k.ca>, Greg Kuechle writes:
> Hi,
> 
> I have two servers each running bind 9.7.0. I have TSIG setup on the 
> servers. I upgraded the hardware on the primary server. The IPs and the 
> config remained the same.
> I upgrade BIND from 9.4.3-P3 to 9.7.0 at the same time on the primary.
> 
> Prior to the hardware/BIND upgrade TSIG worked good. 
> 
> The new primary is running on a sun T5120 with Solaris 10.
> The older secondary is running on a sun v250 with Solaris 8.
> 
> 
> Now it fails on some zones and works on others. If I use dig to do a zone 
> transfer all zones  transfer ok.
> 
> Here is the syntax I use:
> dig -y st-dns-key:<key_omitted> @142.163.211.10 ips.com    <-- this works 
> only with dig, named will  not transfer.
> dig -y st-dns-key:<key_omitted> @142.163.211.10 zazu.com <-- this works 
> with dig and named will transfer. 
> 
> 
> ---------------------------- Logs from secondary trying to transfer the 
> zones ___________________________________
> Here is a zone that works:
> 25-Mar-2010 12:25:23.058 general: info: zone zazu.ca/IN: Transfer started.
> 25-Mar-2010 12:25:23.065 xfer-in: info: transfer of 'zazu.ca/IN' from 
> 142.163.211.10#53: connected using 142.163.20.10#56583
> 25-Mar-2010 12:25:23.105 general: info: zone zazu.ca/IN: transferred 
> serial 2007052406: TSIG 'st-dns-key'
> 25-Mar-2010 12:25:23.106 xfer-in: info: transfer of 'zazu.ca/IN' from 
> 142.163.211.10#53: Transfer completed: 1 messages, 14 records, 482 bytes, 
> 0.040 secs (12050 bytes/sec)
> 
> This zone will not transfer
> 25-Mar-2010 12:23:28.029 notify: info: client 142.163.211.10#37594: 
> received notify for zone 'ips.com': TSIG 'st-dns-key'
> 25-Mar-2010 12:23:28.041 general: info: zone ips.com/IN: refresh: failure 
> trying master 142.163.211.10#53 (source 0.0.0.0#0): tsig verify failure
> 
> Both servers are using ntp and are the time is synced up.
> 
> I have thousands of zones most of them will transfer to the secondary.
> 
> I have tried many things with no luck(my secondary was running an older 
> version of bind so I upgraded it)
> 
> 
> Any help would be appreciated.
> 
> 
> 
>  Greg Kuechle

Ensure that you have installed all patches from Sun. This sounds like
a bug in cool threads.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list