On 9/28/2013 12:31 PM, sar...@slashroot.in wrote:
Hi Team,

I have an architecture where i have one bind server that is forward-only and is authoritative for a domain ab.dc.example.com. It should forward all requests other than it is authoritative for (ab.dc.example.com) to a set of servers.

Requests will get forwarded to
172.16.202.1
172.16.202.2
172.16.203.3
172.16.204.4

And the second point is that these same set of servers, where requests are being forwarded are also slave servers for the domain ab.dc.example.com (so it will be fetching zone transfer updates as well)
I have TSIG with HMAC md5 keys generated for secure zone transfer..

key ab.dc.example.com {
          algorithm hmac-md5;
secret "s0G8oHowQLWoS6FvOV2W6zKNAv+sC7f2hdJclrtHtEfFPyf3nBNY6xR+1Q==";
};
server 172.16.202.1 {
        keys {
                ab.dc.example.com;
    };
};
server 172.16.202.2 {
        keys {
                ab.dc.example.com;
    };
};
server 172.16.202.3 {
        keys {
                ab.dc.example.com;
    };
};
server 172.16.202.4 {
        keys {
                ab.dc.example.com;
  };
};


And i have my forwarders set to the same set of above servers...My bind options clause is shown below.

 forwarders { 172.16.202.1; 172.16.202.2; 172.16.202.3; 172.16.202.4;  };
        forward only;
        allow-query { any; };
        allow-transfer { none; };
        allow-recursion { localhost; 0.0.0.0/0; };
        dnssec-validation no;
        dnssec-enable yes;

Note: I dont have direct access to those 4 servers (they are slave for the domain for which am authoritative). The zone transfer is working perfect in the above configs but normal dig queries are not working as required. What i could make out from the logs is shown below.

;; TSIG PSEUDOSECTION:
0 ANY TSIG hmac-md5.sig-alg.reg.int. 1380379945 300 0 55359 BADSIG 0

However if i query those same servers where am forwarding my dns requests, with the key option in dig command i do get the desired proper output. I guess i am missing something in bind configs..please advice me..
When you TSIG-sign your outgoing dig query, are you using *exactly* the same key file, via "-k", as named itself uses when it authenticates the incoming zone transfer requests?

If you're using "-y", you're presumably typing out the key name and key secret on the command line, and it's very easy to screw that up. Just saying...

Failing that, one interesting experiment would be to try a zone transfer in the opposite direction, using dig. Does that work?

Lastly, is it possible that your box is multi-homed and the other server is expecting a different TSIG key for DNS transactions sourced from a different address than the one it uses for zone transfers? The answer to this question may get rather complicated if any NAT'ing is involved, of course...

                            - Kevin
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to