rndc TSIG problem in 9.1.3

Sasso, John IT JSasso at mvphealthcare.com
Wed Oct 10 13:30:19 UTC 2001 

We have two nameservers (name1 - 10.1.1.1, name2 - 10.1.1.2), one primary
(name1) and the other secondary (name2), that are both running BIND 9.1.3.
Following the BIND book, I set up the rndc.conf and rndc.keys files on name1
and name2 so that rndc can be used from name1 to manage name2 (e.g. rndc -s
name2 reload).  However, I get the following errors when trying to run rndc
from name1:


/etc> rndc -s name2 reload
rndc: operation failed: verify failure (failed to verify signature)
rndc: reload command failure: verify failure

/etc> rndc -y name2-key -s name2 reload
rndc: send remote authenticator: permission denied

I should note that doing 'rndc reload' (or the like) on each server itself
works A-OK.  It's remote rndc control I'm having trouble with, and I'd
appreciate any help in troubleshooting this problem.  The time on both name1
and name2 are in sync (to the second), so I know time is not an issue.  The
config files for each nameserver are shown below:


+------  rndc.conf on name1 (primary)  -----------------------+
options {
        default-server  localhost;
        default-key     "rndc-key";
};

/* Define key to use for local nameserver
server localhost {
        key     "rndc-key";
};

/* Define key to use for 2ndary nameserver - name2.mvphealthplan.com
server name2.mvphealthplan.com {
        key     "name2-key";
};

/* Name of default key for rndc to send to nameserver over control channel
*/
key "rndc-key" {
        algorithm hmac-md5;
        secret "XXXXXXXXXXXXXXXXXXXXXXXX==";
};

/* Name of key for rndc to send to 2ndary nameserver over control channel */
key "name2-key" {
        algorithm hmac-md5;
        secret "YYYYYYYYYYYYYYYYYYY==";
};


+-----------------  rndc.key on name1 (primary)
---------------------------+
key "rndc-key" {
        algorithm hmac-md5;
        secret "XXXXXXXXXXXXXXXXXXXXXXXX==";
};


+------------------ Portion of named.conf on name1 (primary)
--------------------------+
controls {
        inet * allow { any; } keys { "rndc-key"; };
};

include "/etc/rndc.key";


+------  rndc.conf on name2 (secondary)  -----------------------+
options {
        default-server  localhost;
        default-key     "rndc-key";
};

/* Define key to use for local nameserver
server localhost {
        key     "rndc-key";
};

/* Name of default key for rndc to send to nameserver over control channel
*/
key "rndc-key" {
        algorithm hmac-md5;
        secret "YYYYYYYYYYYYYYYYYYY==";
};


+----------------- rndc.key on name2 (secondary)
------------------------------+
key "rndc-key" {
        algorithm hmac-md5;
        secret "YYYYYYYYYYYYYYYYYYY==";
};


+-----------------------  Portion of named.conf on name2 (secondary)
-------------------------+
controls {
        inet * allow { any; } keys { "rndc-key"; };
};

include "/etc/rndc.key";

More information about the bind-users mailing list