TSIG

Cricket Liu cricket at menandmice.com
Fri Sep 14 16:36:31 UTC 2001 


> BIND-8.2.3-REL
>
> I am trying TSIG for two of my servers using the instructions from:
>
> http://www.oreilly.com/catalog/dns4/chapter/ch11.html
>
> [snip]
> ##############################  TSIG Section #########################
> server 62.8.64.4               { keys  { longonot-ns2.wananchi.com; }; };
> [/snip]
>
> On the primary I have this config, via an $include:
>
> key longonot-ns2.wananchi.com   { algorithm hmac-md5; secret
"some_thing_here"; };
>
> And I have this in the primary server:
>
> wash at ns2 ('tty') /etc/namedb/s 59 -> ls -al
> total 14
> drwxr-xr-x  2 root  wheel   512 Sep 14 18:29 .
> drwxr-xr-x  3 root  wheel  9216 Sep 14 18:24 ..
> -rw-r--r--  1 root  wheel    60 Sep 14 16:40
Klongonot-ns2.wananchi.com.+157+00000.key
> -rw-------  1 root  wheel    77 Aug 10 18:08
Klongonot-ns2.wananchi.com.+157+00000.private
> -rw-r--r--  1 root  wheel   223 Sep 14 17:12 dns-keys.conf
> -rw-r--r--  1 root  wheel     6 Sep 14 18:29 named.pid
>
> Have I missed something??
>
> When I reload the slave server, I get
>
> Sep 14 17:03:32 longonot named[174]: reloading nameserver
> Sep 14 17:03:32 longonot named[174]: /etc/namedb/named.conf:34: unknown
key 'Klongonot-ns2.wananchi.com.+157+00000.key'
> Sep 14 17:03:32 longonot named[174]: /etc/namedb/named.conf:34: empty key
not added to server list
> Sep 14 17:03:32 longonot named[174]: Ready to answer queries.

You didn't show us any of the slave's configuration, which is just as
important as the
master's.  And apparently, on the slave, you have something like:

server <something> {
    keys { Klongonot-ns2.wananchi.com.+157+00000.key; };
};

instead of

server <something> {
    keys { longonot-ns2.wananchi.com; }
};

> I also try,
>
> wash at longonot ('tty') /etc/namedb/ 60 ->  nsupdate -k
/etc/namedb/:longonot-ns2.wananchi.com
Klongonot-ns2.wananchi.com.+157+00000.key -v
> dst_read_key: error reading key
>
> I have copied the key to the slave server with the same name!

The second argument is wrong.  The file argument to nsupdate is supposed to
contain a series of
nsupdate commands, not a key.

cricket

Men & Mice
DNS Software & Services
www.menandmice.com

More information about the bind-users mailing list