Thanks a lot! I spent almost a day on testing different configurations
and key names (examples often use fqdns for the key names and I thought
this might be the cause of the problem).
I suppose I would eventually have found out about this if the response
had been BADSIG (as decribed here
http
On 17/01/2024 18:18, Michael Lipp wrote:
Hi Michael,
I have defined a key in named.conf:
|key "acme-dns01" { algorithm hmac-sha256; secret
"+m8fujTWD3qb0LkJFP7HPCZAbLlWBMtwtbNPEkvAt7E="; };|
Your key algorithm is hmac-sha256, but see below...
[snip]
I'm using the key in a |grant| (but th
t is sent
as expected:
|;; TSIG PSEUDOSECTION: acme-dns01. 0 ANY TSIG hmac-md5.sig-alg.reg.int.
1705509748 300 16 tcU/8lYs1VEPZfcM5C3hZw== 13850 NOERROR 0 |
But I get a |BADKEY| in the response, which means that the key is
unknown <https://bind9.readthedocs.io/en/v9.16.42/advanced.html#
On 06/10/2014 08:56 AM, Mohammed Ejaz wrote:
Any help would be highly appreciated.
Switch to BlueCat which does all communication with TSIG by default? :)
Sorry, couldn't resist ...
Doug
___
Please visit https://lists.isc.org/mailman/listinfo/bind
In message <032d01cf84c4$93869180$ba93b480$@cyberia.net.sa>, "Mohammed Ejaz" wr
ites:
>
> I have info blox DNS appliance and slave is BIND
> 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4, now the problem is "Zone transfer
> wont happening" when I am enabling
If it was and is now no longer working, re-sync/reset your clock on the
machine. TSIG needs the clocks (your PC time) correct to within 5
minute..
On Tue, 2014-06-10 at 18:56 +0300, Mohammed Ejaz wrote:
>
>
<
>
<
>
<
>
<
>
<
>
<
>
<#secret "ODvOnAg9F2j2Y09jTQ
I have info blox DNS appliance and slave is BIND
9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4, now the problem is "Zone transfer
wont happening" when I am enabling Tsig key at master server of infoblox.
It gives you the error like " client request has invalid signature tsig
tranf
On 16/05/2012 21:52, Saif Ahmed wrote:
> Hi,
>
> We have multiple slaves serve our zone,
>
> Is it possible to configure different TSIG key for each slave to allow AXFR
> our zones.
>
> anyone could advice if yes and how to configured it.
Hi Saif,
You can use som
Hi,
We have multiple slaves serve our zone,
Is it possible to configure different TSIG key for each slave to allow AXFR
our zones.
anyone could advice if yes and how to configured it.
Thanks
Eng.Saif Ahmed
Network and O.S Supervisor
Communications and Media Commission (CMC
On Tue, Jan 18, 2011 at 02:18:53PM +0800,
p...@mail.nsbeta.info wrote
a message of 11 lines which said:
> How to query for a A or CNAME record with TSIG key?
[A records are quite outdated in 2011. I'll use ]
dig -y hmac-sha1:name-of-the-key:iGSDB9st...Ra9JQ @the.name.ser
Hi,
How to query for a A or CNAME record with TSIG key?
I want to test the different rrdate for a domain name in different views.
Thanks.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Mark Elkins wrote:
> Don't think TSIG Key roll-over is possible - in the DNSSEC sense. Don't
> think it is as necessary either. I have separate TSIG relationships
> between my Primary and Secondary peers. I use the same TSIG for all
> zones that are on both peers - the TSIG
Don't think TSIG Key roll-over is possible - in the DNSSEC sense. Don't
think it is as necessary either. I have separate TSIG relationships
between my Primary and Secondary peers. I use the same TSIG for all
zones that are on both peers - the TSIG is to secure the path between
the tw
RFC 2385 quote -
>
> but again the documentation indicates: "Multiple keys may be present,
> but only the first is used."
Which only applies to control channels keys.
> So, to coordinate the retirement of an old TSIG key a
on how to
distribute secrets. Secrets should never be shared by more than two
entities.
RFC 2385 quote -
but again the documentation indicates: "Multiple keys may be present,
but only the first is used."
So, to coordinate the retir
wants the "mynet.private" file!
>
> The nsupdate manpages mentions this behaviour in the "BUGS" section:
>
> | BUGS
> | The TSIG key is redundantly stored in two separate files. This
> | is a consequence of nsupdate using the DST library for it
aviour in the "BUGS" section:
| BUGS
| The TSIG key is redundantly stored in two separate files. This
| is a consequence of nsupdate using the DST library for its
| cryptographic operations, and may change in future releases.
Maybe the dig manpage should, too, until
After some experimenting, here is the whole answer, hinted at by one
response on this mailing list.
On Thu, Jul 30, 2009 at 05:40:54PM -0400, Joseph S D Yao wrote:
...
> In dig(1), the '-k' option is said to require a "TSIG key file" as an
> option. I have a TSIG file
On Sat, Aug 01, 2009 at 08:07:16AM +1000, Mark Andrews wrote:
...
> Network Working GroupD. Eastlake 3rd
> Request for Comments: 4635 Motorola Laboratories
> Category: Standards TrackAugust 2006
...
Ya
In message <20090731171804.b23...@gwyn.tux.org>, Joseph S D Yao writes:
> On Fri, Jul 31, 2009 at 03:32:48PM +1000, Mark Andrews wrote:
> > In message <20090730174054.h23...@gwyn.tux.org>, Joseph S D Yao writes:
> ...
> > > Plus, I'm curious to know what 'dig -k' really wants to see.
> >
> > A ke
On Fri, Jul 31, 2009 at 01:43:58PM +0200, Mark Elkins wrote:
> On Thu, 2009-07-30 at 17:40 -0400, Joseph S D Yao wrote:
>
> > What does work is:
> > dig -y mynet.:Ain/tGonnaTellNoWay== axfr example.zone
> > @other.example.zone
> > but I really, really find this not altogether pleasant.
>
> T
On Fri, Jul 31, 2009 at 03:32:48PM +1000, Mark Andrews wrote:
> In message <20090730174054.h23...@gwyn.tux.org>, Joseph S D Yao writes:
...
> > Plus, I'm curious to know what 'dig -k' really wants to see.
>
> A keyfile as generated by "dnssec-keygen -a HMAC-*".
...
Of which there are two - a .key
On Thu, 2009-07-30 at 17:40 -0400, Joseph S D Yao wrote:
> What does work is:
> dig -y mynet.:Ain/tGonnaTellNoWay== axfr example.zone
> @other.example.zone
> but I really, really find this not altogether pleasant.
This gets a bit more funkie when you are not using the default
key-algorithm
In message <20090730174054.h23...@gwyn.tux.org>, Joseph S D Yao writes:
> I assume someone can answer this; but Google has not been able to be my
> friend on this one.
>
> In dig(1), the '-k' option is said to require a "TSIG key file" as an
> option.
I assume someone can answer this; but Google has not been able to be my
friend on this one.
In dig(1), the '-k' option is said to require a "TSIG key file" as an
option. I have a TSIG file with a comment header and the following:
key mynet. { algorithm hmac-md5; secret
25 matches
Mail list logo
