Problem with allow-update with TSIG
Kevin Darcy
kcd at daimlerchrysler.com
Mon Apr 29 23:18:23 UTC 2002
Then I can only speculate what might be wrong. Is there anything unusual in your logs? Have
you tried changing the "algorithm" in your key definition to just "hmac-md5"? That's how mine
are, and TSIG-signed Dynamic Update is working for me...
- Kevin
Krishna wrote:
> Yes, of course:-)
>
> Krishna
>
> Kevin Darcy <kcd at daimlerchrysler.com> wrote in message news:<aachug$5om at pub3.rc.vix.com>...
> > Did you tell nsupdate to sign the update? You didn't mention any "-k"
> > option in your nsupdate command line...
> >
> >
> > - Kevin
> >
> > Krishna wrote:
> >
> > > Hi,
> > >
> > > I am pretty much new to DNS in general & DDNS in particular.
> > > So please excuse any stupidity on my part:-)
> > >
> > > After having set up my Linux 2.4.17 box as a DNS server,
> > > I was able to update records using nsupdate from a host
> > > machine using
> > > allow-update { 192.168.100.0/24;};
> > > [I am using BIND 8.2.3].
> > >
> > > But this was not the case
> > > when I tried using TSIG. With nsupdate -d I got
> > > the following log(part of it) :
> > >
> > > ;; Querying server (# 1) address = 192.168.100.3
> > > ;; got answer:
> > > ;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id: 4905
> > > ;; flags: qr ra; ZONE: 1, PREREQUISITE: 0, UPDATE: 0, ADDITIONAL: 1
> > > ;; bombay.tsoft.com, type = SOA, class = IN
> > > bombay.tsoft.com. 0S ANY TSIG HMAC-MD5.SIG-ALG.REG.INT. 18
> > > ;; res_nupdate: res_nsend: send error, n=-1 (Inappropriate ioctl for
> > > device)
> > >
> > > Of course, the keys are the same at both ends. Also, no error
> > > msg in /var/log/message on either end.
> > > Then whats the reason for the "NOTAUTH" ? And whats the reason for the
> > > inappropriate "ioctl"?
> > >
> > > A snippet of my named.conf is given:
> > >
> > > key bombay.tsoft.com. {
> > > algorithm HMAC-MD5.SIG-ALG.REG.INT;
> > > secret "BNWSFyxJ8dxKJfraPcU0Kg==";
> > > };
> > >
> > > zone "bombay.tsoft.com" in {
> > > type master;
> > > file "named.bombay.tsoft.com";
> > > allow-update { key bombay.tsoft.com.; };
> > > };
> > >
> > > Could someone please point out any error or suggestion?
> > >
> > > Thanks in advance,
> > > Krishna
More information about the bind-users
mailing list