On 9/28/2013 12:31 PM, sar...@slashroot.in wrote:
Hi Team,
I have an architecture where i have one bind server that is
forward-only and is authoritative for a domain ab.dc.example.com. It
should forward all requests other than it is authoritative for
(ab.dc.example.com) to a set of servers.
Requests will get forwarded to
172.16.202.1
172.16.202.2
172.16.203.3
172.16.204.4
And the second point is that these same set of servers, where requests
are being forwarded are also slave servers for the domain
ab.dc.example.com (so it will be fetching zone transfer updates as well)
I have TSIG with HMAC md5 keys generated for secure zone transfer..
key ab.dc.example.com {
algorithm hmac-md5;
secret
"s0G8oHowQLWoS6FvOV2W6zKNAv+sC7f2hdJclrtHtEfFPyf3nBNY6xR+1Q==";
};
server 172.16.202.1 {
keys {
ab.dc.example.com;
};
};
server 172.16.202.2 {
keys {
ab.dc.example.com;
};
};
server 172.16.202.3 {
keys {
ab.dc.example.com;
};
};
server 172.16.202.4 {
keys {
ab.dc.example.com;
};
};
And i have my forwarders set to the same set of above servers...My
bind options clause is shown below.
forwarders { 172.16.202.1; 172.16.202.2; 172.16.202.3; 172.16.202.4; };
forward only;
allow-query { any; };
allow-transfer { none; };
allow-recursion { localhost; 0.0.0.0/0; };
dnssec-validation no;
dnssec-enable yes;
Note: I dont have direct access to those 4 servers (they are slave for
the domain for which am authoritative). The zone transfer is working
perfect in the above configs but normal dig queries are not working as
required. What i could make out from the logs is shown below.
;; TSIG PSEUDOSECTION:
0 ANY TSIG hmac-md5.sig-alg.reg.int. 1380379945 300 0 55359
BADSIG 0
However if i query those same servers where am forwarding my dns
requests, with the key option in dig command i do get the desired
proper output. I guess i am missing something in bind configs..please
advice me..
When you TSIG-sign your outgoing dig query, are you using *exactly* the
same key file, via "-k", as named itself uses when it authenticates the
incoming zone transfer requests?
If you're using "-y", you're presumably typing out the key name and key
secret on the command line, and it's very easy to screw that up. Just
saying...
Failing that, one interesting experiment would be to try a zone transfer
in the opposite direction, using dig. Does that work?
Lastly, is it possible that your box is multi-homed and the other server
is expecting a different TSIG key for DNS transactions sourced from a
different address than the one it uses for zone transfers? The answer to
this question may get rather complicated if any NAT'ing is involved, of
course...
- Kevin
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users