TSIG verify failure
Jeremie Le Hen
I'm trying to use BIND 9.3.4 as a slave server for a couple of my zones.
The primary name server is running NSD. Both are running NTPD.
Master has an an external IP address (MAS.TER.MAS.TER), while slave
server has a RFC1918 address (192.168.1.153) and the leading firewall
redirects UDP/TCP packets to SLA.VE.SLA.VE:53 to it.
AXFR fails invariably with the following error: "tsig verify failure".
Do, by chance, TSIG packets use IP address during encryption?
I've been struggling to understand the problem for maybe 8 hours, but
I'm clueless now... Any help would be welcome.
The configuration of the master server, running NSD, is straightforward:
% key:
% name: master-slave.
% algorithm: hmac-md5
% secret: "ABCDEFGHIJKLMNOPQRSTUV=="
% zone:
% name: "le-hen.org"
% zonefile: "le-hen.org.zone"
% notify: SLA.VE.SLA.VE master-slave.
% provide-xfr: SLA.VE.SLA.VE master-slave.
The slave BIND relevant configuration is:
% key master-slave. {
% algorithm hmac-md5;
% secret: "ABCDEFGHIJKLMNOPQRSTUV==";
% };
% server MAS.TER.MAS.TER {
% keys { master-slave. };
% };
% view external {
% [...]
%
% zone "le-hen.org" {
% type slave;
% masters { MAS.TER.MAS.TER; };
% file "/var/db/named/le-hen.org.bak";
% allow-transfer { none; };
% };
% };
BIND log (sorry if the line wraps):
% Feb 28 09:54:25 slave named[37517]: notify: info: client MAS.TER.MAS.TER#54434: view external: received notify for zone 'le-hen.org': TSIG 'master-slave'
% Feb 28 09:54:26 slave named[37517]: xfer-in: info: zone le-hen.org/IN/external: zone transfer deferred due to quota
% Feb 28 09:54:26 slave named[37517]: general: info: zone le-hen.org/IN/external: Transfer started.
% Feb 28 09:54:26 slave named[37517]: xfer-in: info: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: connected using 192.168.1.153#53780
% Feb 28 09:54:26 slave named[37517]: xfer-in: debug 3: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: requesting IXFR for serial 2009021700
% Feb 28 09:54:26 slave named[37517]: xfer-in: debug 3: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: sent request length prefix
% Feb 28 09:54:26 slave named[37517]: xfer-in: debug 3: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: sent request data
% Feb 28 09:54:26 slave named[37517]: xfer-in: debug 7: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: received 188 bytes
% Feb 28 09:54:26 slave named[37517]: xfer-in: debug 3: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: got NOTIMP, retrying with AXFR
% Feb 28 09:54:26 slave named[37517]: xfer-in: info: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: resetting
% Feb 28 09:54:26 slave named[37517]: xfer-in: info: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: connected using 192.168.1.153#55660
% Feb 28 09:54:26 slave named[37517]: xfer-in: debug 3: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: sent request length prefix
% Feb 28 09:54:26 slave named[37517]: xfer-in: debug 3: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: sent request data
% Feb 28 09:54:27 slave named[37517]: xfer-in: debug 7: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: received 263 bytes
% Feb 28 09:54:27 slave named[37517]: xfer-in: debug 3: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: sent request length prefix
% Feb 28 09:54:27 slave named[37517]: xfer-in: debug 3: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: sent request data
% Feb 28 09:54:27 slave named[37517]: xfer-in: debug 7: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: received 707 bytes
% Feb 28 09:54:27 slave named[37517]: dnssec: debug 2: tsig key 'master-slave': signature failed to verify
% Feb 28 09:54:27 slave named[37517]: xfer-in: debug 3: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: TSIG check failed: tsig verify failure
% Feb 28 09:54:27 slave named[37517]: xfer-in: error: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: failed while receiving responses: tsig verify failure
% Feb 28 09:54:27 slave named[37517]: general: debug 1: zone le-hen.org/IN/external: zone transfer finished: tsig verify failure
% Feb 28 09:54:27 slave named[37517]: xfer-in: info: transfer of 'le-hen.org/IN' from MAS.TER.MAS.TER#53: end of transfer
Thanks.
Best regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
_______________________________________________
bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Matthew Pounsett
--===============0858770627745278231==
Content-Type: multipart/signed; protocol="application/pgp-signature";
micalg=pgp-sha1; boundary="Apple-Mail-3--163035004"
Content-Transfer-Encoding: 7bit
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--Apple-Mail-3--163035004
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
On 28-Feb-2009, at 04:11, Jeremie Le Hen wrote:
> AXFR fails invariably with the following error: "tsig verify failure".
> Do, by chance, TSIG packets use IP address during encryption?
> I've been struggling to understand the problem for maybe 8 hours, but
> I'm clueless now... Any help would be welcome.
Check the clocks on your two machines, as they need to be in sync; the
signatures are time-dependent.
--Apple-Mail-3--163035004
content-type: application/pgp-signature; x-mac-type=70674453;
name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkmpdJoACgkQmFeRJ0tjIxFZcgCfUHY5Mkd8eJFIUThTz4pHIlWw
u2sAnAzFUHZMDSKtSky3boZIAmSWgzXQ
=Ut6G
-----END PGP SIGNATURE-----
--Apple-Mail-3--163035004--
--===============0858770627745278231==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--===============0858770627745278231==--