TSIG
Cricket Liu
cricket at menandmice.com
Fri Sep 14 16:36:31 UTC 2001
> BIND-8.2.3-REL
>
> I am trying TSIG for two of my servers using the instructions from:
>
> http://www.oreilly.com/catalog/dns4/chapter/ch11.html
>
> [snip]
> ############################## TSIG Section #########################
> server 62.8.64.4 { keys { longonot-ns2.wananchi.com; }; };
> [/snip]
>
> On the primary I have this config, via an $include:
>
> key longonot-ns2.wananchi.com { algorithm hmac-md5; secret
"some_thing_here"; };
>
> And I have this in the primary server:
>
> wash at ns2 ('tty') /etc/namedb/s 59 -> ls -al
> total 14
> drwxr-xr-x 2 root wheel 512 Sep 14 18:29 .
> drwxr-xr-x 3 root wheel 9216 Sep 14 18:24 ..
> -rw-r--r-- 1 root wheel 60 Sep 14 16:40
Klongonot-ns2.wananchi.com.+157+00000.key
> -rw------- 1 root wheel 77 Aug 10 18:08
Klongonot-ns2.wananchi.com.+157+00000.private
> -rw-r--r-- 1 root wheel 223 Sep 14 17:12 dns-keys.conf
> -rw-r--r-- 1 root wheel 6 Sep 14 18:29 named.pid
>
> Have I missed something??
>
> When I reload the slave server, I get
>
> Sep 14 17:03:32 longonot named[174]: reloading nameserver
> Sep 14 17:03:32 longonot named[174]: /etc/namedb/named.conf:34: unknown
key 'Klongonot-ns2.wananchi.com.+157+00000.key'
> Sep 14 17:03:32 longonot named[174]: /etc/namedb/named.conf:34: empty key
not added to server list
> Sep 14 17:03:32 longonot named[174]: Ready to answer queries.
You didn't show us any of the slave's configuration, which is just as
important as the
master's. And apparently, on the slave, you have something like:
server <something> {
keys { Klongonot-ns2.wananchi.com.+157+00000.key; };
};
instead of
server <something> {
keys { longonot-ns2.wananchi.com; }
};
> I also try,
>
> wash at longonot ('tty') /etc/namedb/ 60 -> nsupdate -k
/etc/namedb/:longonot-ns2.wananchi.com
Klongonot-ns2.wananchi.com.+157+00000.key -v
> dst_read_key: error reading key
>
> I have copied the key to the slave server with the same name!
The second argument is wrong. The file argument to nsupdate is supposed to
contain a series of
nsupdate commands, not a key.
cricket
Men & Mice
DNS Software & Services
www.menandmice.com
More information about the bind-users
mailing list