TSIG afxr failed while receiving responses: REFUSED
micah
micah at riseup.net
Sun May 25 14:58:22 UTC 2014
Hi,
I've been struggling to get TSIG setup for securing the AXFR of my zone
transfers from the master to the secondaries. I've tried what feels like
everything I can think of, but I am still unable to get it to work
right. I must be missing something, and I hope that the bind community
can tell me what it is.
I'm using the new 9.10 version of bind, so I created the tsig file on
the master by doing tsig-keygen > /etc/bind/tsig.keys, it looks like
this:
key "tsig-key" {
algorithm hmac-sha256;
secret "weeetsigblobhere=";
};
my named.conf has:
include "/etc/bind/rndc.key";
include "/etc/bind/tsig.keys";
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
and my named.conf.options has:
zone "example.net" {
type master;
allow-transfer { key tsig.key.; };
also-notify { ip.address.here.x; };
file "/etc/bind/master/db.example";
auto-dnssec maintain;
inline-signing yes;
};
on the slave I have copied over the tsig.keys file and added to the
bottom of it:
key "tsig-key" {
algorithm hmac-sha256;
secret "weeetsigblobhere=";
};
server ip.of.master.here {
keys { "tsig-key"; };
};
now when I try to do a zone transfer:
root at owl:/etc/bind# rndc retransfer example.net
21-May-2014 09:34:11.828 received control channel command 'retransfer example.net'
21-May-2014 09:34:11.907 zone example.net/IN: Transfer started.
21-May-2014 09:34:11.987 transfer of 'example.net/IN' from ip.address.of.master#53: connected using ip.address.of.slave#48600
21-May-2014 09:34:12.068 transfer of 'example.net/IN' from ip.address.of.master#53: failed while receiving responses: REFUSED
21-May-2014 09:34:12.068 transfer of 'example.net/IN' from ip.address.of.master#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.080 secs (0 bytes/sec)
and I see on the master:
21-May-2014 16:34:12.031 client ip.address.of.slave#48600/key tsig-key (example.net): zone transfer example.net/AXFR/IN' denied
What am I missing?
thanks!
micah
More information about the bind-users
mailing list