bind 8.3.3 and TSIG
Doug Barton
DougB at DougBarton.net
Mon Sep 30 18:46:34 UTC 2002
On 26 Sep 2002, Stuart wrote:
>
> Well, this is the third time.. I hope it is the charm. For some
> reason, either my posts from my AOL account aren't getting through,
They were getting through, but the first few I saw had silly munging of
the e-mail address, which prevented a reply to you.
> I am trying to securitize my zone transfers between my DNS master and
> slaves, using TSIG.
>
> I created the TSIG key using dnskeygen -H 128 -h -n
> host1-host2.xxx.xxx.gov
It's silly to obscure the names... we don't really care.
http://dougbarton.net/bind-users/FAQ.html#RealNames
However, what it does do is make debugging your problem more difficult.
> On the master and slave I added
>
> key host1-host2.xxx.xxx.gov. {
> algorithm hmac-md5;
> secret blahblah;
> };
> I wind up getting a BADSIG (-16) error. I suppose that means bind is
> not crazy about the key..
By any chance, is the zone you're trying to transfer also part of the key
name? In other words, is your key named key.example.com (or something
similar) and the zone named example.com? If so, try renaming your key to
something totally different. The key name has to _look_ like a hostname,
but it doesn't have to be a real one. In fact, I generally name my keys
something like host1_com.host2_com.
I ran into exactly this problem, however I haven't had a chance to submit
it as a bug report yet.
Doug
More information about the bind-users
mailing list