invalid command from 127.0.0.1#1157: bad auth

phn at icke-reklam.ipsec.nu phn at icke-reklam.ipsec.nu
Wed Aug 21 08:57:36 UTC 2002 

Tarek Hamdy <thamdy at quixnet.net> wrote:

> Hey guys,

> I attempted to do a rndc-keygen -a to creat a new key, no success.  I
> made some changes to the top part of the named.conf, to the rndc_key
> inserting spacs in front of and behind it

you mean "rndc-confgen -a " ??


> include "/etc/namedb/rn/rndc.key";
> controls {
>      inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
> };

> I reloaded DNS getting the following below:

> Aug 21 01:10:02 ham named: named startup succeeded
> Aug 21 01:10:02 ham named[15174]: no IPv6 interfaces found
> Aug 21 01:10:02 ham named[15174]: listening on IPv4 interface lo,
> 127.0.0.1#53
> Aug 21 01:10:02 ham named[15174]: listening on IPv4 interface eth0,
> 192.168.113.33#53
> Aug 21 01:10:02 ham named[15174]: listening on IPv4 interface eth1,
> 208.184.11.178#53
> Aug 21 01:10:03 ham named[15174]: /etc/named.conf:6: couldn't find key
> 'rndc_key' for use with command channel 127.0.0.1#953

This tells us that either there is no key at all in named.conf, or
named.conf includes a file that is unreadable or not at the place 
it should.


Could you try to manually create /etc/rndc.key with the 
following contents ( taken from the ARM-book ) :
key rndc_key {
          algorithm "hmac-md5";
          secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
     };
     options {
          default-server localhost;
          default-key    rndc_key;
     };

And in /etc/named.conf you create a "key" statement and a "control"statement :
key rndc_key {
          algorithm "hmac-md5";
          secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
     };
controls {
             inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
     };

Do change the keystrings, as long as they are equal in rndc.conf
and named.conf they should work. 

-- 
Peter Håkanson         
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out,
	   remove "icke-reklam" if you feel for mailing me. Thanx.

More information about the bind-users mailing list