Hi all
Due to circumstances beyond my control a remote partner needs to use a 9.9.9
version of bind and we are required to use HMAC-MD5 for zone transfers. There
is no (big) security concern since the networks are isolated and not exposed to
the larger Internet.
When the secondary requests an AXFR I see:
client @0xxxxxxxxxxxxx nnn.nnn.nnn.nnn#xxxxxx: request has invalid signature:
TSIG <KEY>: tsig verify failure (BADSIG)
Doing a dig directly (with the same key) I get the zone:
client @0xxxxxxxxxxxxx nnn.nnn.nnn.nnn#xxxxxx /key <KEY> (zone.tld): transfer
of 'zone.tld/IN': AXFR started: TSIG <KEY> (serial nnnn)
Is there any known incompatibilities - preferably with workarounds :) - that
anyone knows about?
I apologize in advance if the info is lacking but here are, what I consider,
the relevant parts from named.conf:
key "<KEY>." {
algorithm hmac-md5;
secret "XXXXXXXXXXXXXXXXXXXXXX";
};
acl servers {
nnn.nnn.nnn.nnn;
nnn.nnn.nnn.nnn;
nnn.nnn.nnn.nnn;
};
acl transfer {
!servers;
!localhost;
!nnn.nnn.nnn.nnn;
any;
};
zone "zone.tld." IN {
type master;
file "/etc/bind/zones/zone.file";
allow-transfer { !transfer; key <KEY>.; };
};
Again - sorry if this is insufficient information.
It could be as simple as the remote not having everything in order but they
swear up and down that they have checked, doublechecked and enlisted multiple
persons in doing the checks.
I would appreciate any and all hints even if they are farfetched.
Best Regards
Patrik Graeser
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
