Bind9.2 dnssec-keygen problem in Redhat Linux
Martin McCormick
martin at dc.cis.okstate.edu
Sun Mar 13 06:15:09 UTC 2005
I have set up bind9 on several FreeBSD systems and now, I need
to make it work on a recent-vintage Redhat platform. It appears to
behave exactly as expected except for one show-stopper of a problem.
I generated tsig keys with the following command:
/usr/sbin/dnssec-keygen -a hmac-md5 -b 128 -n HOST hostname.domain-keyname
It generates two perfectly good-looking keys that never work
with the complaint being an invalid signature.
Mar 13 00:21:07.829 client 192.168.253.207#34321: request has invalid signature: tsig verify failure
I've spent the entire day off and on beating my head on this
one, trying several sets of keys, etc. What could it be?
The dnssec-keygen command is actually lifted from one I used for years
on FreeBSD to generate keys that worked. I tried 128 and 512-bit
keys. By the way, rndc commands do work fine and I tried zone
transfers both from the localhost and a remote host with exactly the
same negative results which kind of rules out clock problems.
Thanks for any helpful ideas.
Martin McCormick WB5AGZ Stillwater, OK
OSU Information Technology Division Network Operations Group
More information about the bind-users
mailing list