rndc: unsupported algorithm:
Markus Feldmann
i tried to reload my config and zones with rndc. My Bind version is BIND
9.5.1-P3. My rndc.key looks like this.
key feld-server.feldland.lan. {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret TNCrihQV8NjY6bzA5GMJIg==;
};
This is what i also got from creating the sig-key. I still included this
key into my named.conf and into dhcpd.conf.
But i get this message.
rndc: unsupported algorithm: HMAC-MD5.SIG-ALG.REG.INT
What is the Problem?
regards Markus
Markus Feldmann
key feld-server.feldland.lan. {
algorithm hmac-md5;
secret TNCrihQV8NjY6bzA5GMJIg==;
};
and executed the command
feld-server:/etc/bind# rndc -s feld-server -k rndc.key reload
rndc: connect failed: 192.168.0.186#953: connection refused
Without the explicit -s argument he doesn't find the DNS-Server... ???
However it seems that i have a Problem with some of my statements in
/etc/bind/named.conf.options
controls {inet 127.0.0.1 port 953 allow { localhost; } keys {
feld-server.feldland.lan.; }; };
What to do? I executed rndc in the server.
regards Markus
Warren Kumari
I believe you need: "hmac-md5;", and not "HMAC-MD5.SIG-ALG.REG.INT;"
W
> _______________________________________________
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
Warren Kumari
Try add this:
options {
default-key "feld-server.feldland.lan.";
default-server 127.0.0.1;
default-port 953;
};
Kevin Darcy
> Hi All,
>
> i tried to reload my config and zones with rndc. My Bind version is
> BIND 9.5.1-P3. My rndc.key looks like this.
> key feld-server.feldland.lan. {
> algorithm HMAC-MD5.SIG-ALG.REG.INT;
> secret TNCrihQV8NjY6bzA5GMJIg==;
> };
>
> This is what i also got from creating the sig-key. I still included
> this key into my named.conf and into dhcpd.conf.
>
> But i get this message.
> rndc: unsupported algorithm: HMAC-MD5.SIG-ALG.REG.INT
>
> What is the Problem?
>
AFAIK, the only algorithm supported by rndc is "hmac-md5".
- Kevin
P.S. Why would you copy an rndc key into dhcpd.conf?
Kevin Darcy
> I changed my key to
>
> key feld-server.feldland.lan. {
> algorithm hmac-md5;
> secret TNCrihQV8NjY6bzA5GMJIg==;
> };
>
>
> and executed the command
>
> feld-server:/etc/bind# rndc -s feld-server -k rndc.key reload
> rndc: connect failed: 192.168.0.186#953: connection refused
>
>
> /etc/bind/named.conf.options
>
> controls {inet 127.0.0.1 port 953 allow { localhost; } keys {
> feld-server.feldland.lan.; }; };
>
> What to do? I executed rndc in the server.
>
- Kevin
Lear, Karen (Evolver)
Thx,
[klear@mynameserver]$ sudo named-checkzone -t /dns/chroot/conf -D NEWDOMAIN.gov MYNEWZONEFILE
zone NEWDOMAIN.gov/IN: NEWDOMAIN.gov/MX 'MX1.OLDDOMAIN.gov' (out of zone) has no addresses records (A or AAAA)
zone NEWDOMAIN.gov/IN: NEWDOMAIN.gov/MX 'MX2.OLDDOMAIN.gov' (out of zone) has no addresses records (A or AAAA)
OK
Markus Feldmann
looks like the key in my file rndc.key but the algorithm is named
HMAC-MD5.SIG-ALG.REG.INT
I am not sure whether i can use another key for rndc?
regards Markus
Matthew Pounsett
Please don't start a new thread by replying to an email in an existing discussion -- your message can get lost in that other discussion, rather than appearing as a new topic for anyone who threads their email.
On 2010/03/30, at 16:30, Lear, Karen (Evolver) wrote:
> I'm adding a new domain to my existing authoritative name servers, and need to add an MX record for a device on the existing domain. That device will serve both domains until we get a new box in and then we will have separate MX records/devices for each domain. I have created a new zone file and modified named.conf to include the new zone. When I run named-checkzone, I get a message about the MX record being out of zone and not having an A record. However, at the end of my named-checkzone output, I get "OK." Can I restart named as is without causing problems or do I need to address these messages?
It sounds like you're including a record for mx1.olddomain.gov in the newdomain.gov zone. It's hard to be sure without seeing specifics from your configuration though.
>
> Thx,
>
> [klear@mynameserver]$ sudo named-checkzone -t /dns/chroot/conf -D NEWDOMAIN.gov MYNEWZONEFILE
> zone NEWDOMAIN.gov/IN: NEWDOMAIN.gov/MX 'MX1.OLDDOMAIN.gov' (out of zone) has no addresses records (A or AAAA)
> zone NEWDOMAIN.gov/IN: NEWDOMAIN.gov/MX 'MX2.OLDDOMAIN.gov' (out of zone) has no addresses records (A or AAAA)
> OK
Mark Andrews
In message <2AA71BEDEBCF80449E35B...@EMAIL4.uspto.gov>, "Lear
, Karen (Evolver)" writes:
> I'm adding a new domain to my existing authoritative name servers, and need t
> o add an MX record for a device on the existing domain. That device will ser
> ve both domains until we get a new box in and then we will have separate MX r
> ecords/devices for each domain. I have created a new zone file and modified
> named.conf to include the new zone. When I run named-checkzone, I get a mess
> age about the MX record being out of zone and not having an A record. Howeve
> r, at the end of my named-checkzone output, I get "OK." Can I restart named
> as is without causing problems or do I need to address these messages?
>
>
> [klear@mynameserver]$ sudo named-checkzone -t /dns/chroot/conf -D NEWDOMAIN.g
> ov MYNEWZONEFILE
> zone NEWDOMAIN.gov/IN: NEWDOMAIN.gov/MX 'MX1.OLDDOMAIN.gov' (out of zone) has
> no addresses records (A or AAAA)
> zone NEWDOMAIN.gov/IN: NEWDOMAIN.gov/MX 'MX2.OLDDOMAIN.gov' (out of zone) has
> no addresses records (A or AAAA)
> OK
You really should address the messages by adding the referenced addresses
records.
Mark
> _______________________________________________
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Daniel Ryslink
By the way, similar problem occurs in 9.6.2-p1. According to changelog,
support for RSA/SHA-256 (algorithm number 8 in dnssec-related
records) was backported into 9.6.2 from 9.7 (and indeed, 9.6.2 has no
problems with the TLDs recently signed with keys using RSA/SHA-256)
However, after upgrading to 9.6.2-p1, these very records are rejected by
the nameserver:
29-Mar-2010 09:33:59.371 config: error: itar.key:3: configuring trusted
key for 'ARPA.': algorithm is unsupported
Evidently, the RSA/SHA-256 support was removed from p1, but why? (...
accident?).
Daniel Ryslink
On Tue, 30 Mar 2010, Kevin Darcy wrote:
> On 3/30/2010 3:53 PM, Markus Feldmann wrote:
>> Hi All,
>>
>> i tried to reload my config and zones with rndc. My Bind version is BIND
>> 9.5.1-P3. My rndc.key looks like this.
>> key feld-server.feldland.lan. {
>> algorithm HMAC-MD5.SIG-ALG.REG.INT;
>> secret TNCrihQV8NjY6bzA5GMJIg==;
>> };
>>
>> This is what i also got from creating the sig-key. I still included this
>> key into my named.conf and into dhcpd.conf.
>>
>> But i get this message.
>> rndc: unsupported algorithm: HMAC-MD5.SIG-ALG.REG.INT
>>
>> What is the Problem?
>>
>
> AFAIK, the only algorithm supported by rndc is "hmac-md5".
>
> -
> Kevin
>
> P.S. Why would you copy an rndc key into dhcpd.conf?
>
Chris Thompson
>
>By the way, similar problem occurs in 9.6.2-p1. According to changelog,
>support for RSA/SHA-256 (algorithm number 8 in dnssec-related
>records) was backported into 9.6.2 from 9.7 (and indeed, 9.6.2 has no
>problems with the TLDs recently signed with keys using RSA/SHA-256)
>
>However, after upgrading to 9.6.2-p1, these very records are rejected by
>the nameserver:
>
>29-Mar-2010 09:33:59.371 config: error: itar.key:3: configuring trusted
>key for 'ARPA.': algorithm is unsupported
>
>Evidently, the RSA/SHA-256 support was removed from p1, but why? (...
>accident?).
I can't reproduce this at all. I tried adding a trust anchor for
"uk" (which uses algorithm 8, and is not in dlv.isc.org) to a test
server running 9.6.2-P1. No config error as above, and (after a
bit of cache flushing) it validates records from "uk" fine ("ad" bit
set, etc.).
--
Chris Thompson
Email: ce...@cam.ac.uk