TSIG fails intermittently but dig works
Mark Andrews
marka at isc.org
Thu Mar 25 21:00:37 UTC 2010
In message <OFF7240F74.A2C76455-ON062576F1.0068F1EA-062576F1.006C5726 at sasktel.s
k.ca>, Greg Kuechle writes:
> Hi,
>
> I have two servers each running bind 9.7.0. I have TSIG setup on the
> servers. I upgraded the hardware on the primary server. The IPs and the
> config remained the same.
> I upgrade BIND from 9.4.3-P3 to 9.7.0 at the same time on the primary.
>
> Prior to the hardware/BIND upgrade TSIG worked good.
>
> The new primary is running on a sun T5120 with Solaris 10.
> The older secondary is running on a sun v250 with Solaris 8.
>
>
> Now it fails on some zones and works on others. If I use dig to do a zone
> transfer all zones transfer ok.
>
> Here is the syntax I use:
> dig -y st-dns-key:<key_omitted> @142.163.211.10 ips.com <-- this works
> only with dig, named will not transfer.
> dig -y st-dns-key:<key_omitted> @142.163.211.10 zazu.com <-- this works
> with dig and named will transfer.
>
>
> ---------------------------- Logs from secondary trying to transfer the
> zones ___________________________________
> Here is a zone that works:
> 25-Mar-2010 12:25:23.058 general: info: zone zazu.ca/IN: Transfer started.
> 25-Mar-2010 12:25:23.065 xfer-in: info: transfer of 'zazu.ca/IN' from
> 142.163.211.10#53: connected using 142.163.20.10#56583
> 25-Mar-2010 12:25:23.105 general: info: zone zazu.ca/IN: transferred
> serial 2007052406: TSIG 'st-dns-key'
> 25-Mar-2010 12:25:23.106 xfer-in: info: transfer of 'zazu.ca/IN' from
> 142.163.211.10#53: Transfer completed: 1 messages, 14 records, 482 bytes,
> 0.040 secs (12050 bytes/sec)
>
> This zone will not transfer
> 25-Mar-2010 12:23:28.029 notify: info: client 142.163.211.10#37594:
> received notify for zone 'ips.com': TSIG 'st-dns-key'
> 25-Mar-2010 12:23:28.041 general: info: zone ips.com/IN: refresh: failure
> trying master 142.163.211.10#53 (source 0.0.0.0#0): tsig verify failure
>
> Both servers are using ntp and are the time is synced up.
>
> I have thousands of zones most of them will transfer to the secondary.
>
> I have tried many things with no luck(my secondary was running an older
> version of bind so I upgraded it)
>
>
> Any help would be appreciated.
>
>
>
> Greg Kuechle
Ensure that you have installed all patches from Sun. This sounds like
a bug in cool threads.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list