tsig-key

Mark Andrews marka at isc.org
Tue Jun 10 22:09:39 UTC 2014 

In message <032d01cf84c4$93869180$ba93b480$@cyberia.net.sa>, "Mohammed Ejaz" wr
ites:
> 
> I have info blox DNS appliance and slave is  BIND
> 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4, now the problem is "Zone transfer
> wont happening"  when I am enabling Tsig key at master server of infoblox.
> It gives you the error like " client request has invalid signature tsig
> tranfer: tisg verify failure"
> 
> Here is the configuration, I was trying to do it.  .  
> 
> My client/slave server configuration, the  file created tsig.key under
> /var/named  with the following entries nI
> 
> key "TRANSFER" {
> algorithm HMAC-MD5;
> #secret "ODvOnAg9F2j2Y09jTQRC276h1vY=";
> secret "egr5WSDQAlP54KrnWweRjg==";
> };
> 
> # Master server IP
> 
> server 195.88.245.33 {
> 
> keys { TRANSFER; };
> 
> };
> 
> In named.conf file on the slave server.  
> 
> include "/var/named/tsigkeys";
> 
> Any help would be highly appreciated. 
> 
> Thanks 
> 
> Ejaz Sys admin

Does the key name match?
Does the secret match?
Does the algorithm match?
If you are using truncated tsig does the length match?
If you are using views is the server clause within the view?

Time should be ok as there is a different error code with a
different description.

Have you tried testing this with dig?

dig -y TRANSFER:egr5WSDQAlP54KrnWweRjg== axfr <zone> @195.88.245.33 +all

e.g.
% dig -y TRANSFER:egr5WSDQAlP54KrnWweRjg== axfr dv.isc.org +all
;; Couldn't verify signature: tsig indicates error

; <<>> DiG 9.11.0pre-alpha <<>> -y TRANSFER axfr dv.isc.org +all
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOTAUTH, id: 15607
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dv.isc.org.			IN	AXFR

;; TSIG PSEUDOSECTION:
transfer.		0	ANY	TSIG	hmac-md5.sig-alg.reg.int. 1402438051 300 0  15607 BADKEY 0 

; Transfer failed.
% 

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list