1

I have a bind server running which is authoritative for one domain say ab.dc.example.com and it is a forward only dns server. It will forward all requests other than ab.dc.example.com to a set of servers for example.

And those same set of servers where it forwards request will also act as slave name servers for the domain ab.dc.example.com. Basically those servers will fetch zone transfer updates with secure tsig.

I have a secure zone transfer setup for those servers with the key statement in bind.

Now the problem is a secure zone transfer is happening, but normal request forwarding is not happening. If i disable secure zone transfer (tsig) for one of the slave (which is also the server to which requests are being forwarded), the forwarding is working fine.

Can somebody please help me out??

My configs are shown below.

zone "somedomain.com" in {
        type master;
        file "/etc/bind/zones/master.somedomain.com";
        allow-transfer { key somedomain.com; };
        allow-query { any; };
        allow-update { key somedomain.com; };
        notify yes;
};

And my key config file containing key statement is shown below.

key somedomain.com {
          algorithm hmac-md5;
          secret "s0G8oHowQLsdfsgdsdgsdgkngsgdslgllsdgllsdjgljlsdgjlSTWaFwp5JNaZBSN0OW4clrtHtEfFPyf3nBNY6xR+1Q==";
};
server 172.16.202.1 {
        keys {
                somedomain.com;
    };
};
server 172.16.202.2 {
        keys {
                somedomain.com;
    };
};
server 172.16.202.3 {
        keys {
                somedomain.com;
    };
};
server 172.16.202.4 {
        keys {
                somedomain.com;

};
};

And my zone transfer is working perfect with the above configs..But when am forwarding other queries which am not authoritative for to the same slave ips (172.16.202.1,2,3,4) am not able to do it.

i have dnssec-enable yes; in my named.conf options.

The only thing i can fetch from the logs is something like the below.

;; TSIG PSEUDOSECTION:
somedomain.com 0   ANY     TSIG    hmac-md5.sig-alg.reg.int. 1380337474 300 0  22003 BADSIG 0

However i can query those slave nameservers where am forwarding my requests manually using dig as shown below.

dig -y 'somedomain.com:bgsdgblsnglsnglsnghlsdnghlsdnlhn==' yahoo.com @172.16.202.1

Regards Sarath

Sarath
  • 11
  • 2
  • Maybe post your configs? It seems likely that you have something configured wrong, but it is hard to randomly speculate. Give us some information to work with here... – Zoredache Sep 28 '13 at 05:25
  • Yeah my configs are below. I have a bind dns server 9.8 version that has tsig configured for zone transfer as shown below. – Sarath Sep 28 '13 at 05:30
  • What do you have defined in your `options { }` section? Do you have an `allow-recursion {}`? You mentioned you have a `forwarders { }`. – Zoredache Sep 28 '13 at 06:03
  • yeaa i have `allow-recursion { localhost; 0.0.0.0/0; };` as well as `forward only;` in my options {} – Sarath Sep 28 '13 at 06:08
  • I think that for verifying queries signed by the private key(which my forwarding servers already havee), i need to place the associated public key somewhere in the bind configs correct? am guessing this correct me if am wrong.. – Sarath Sep 28 '13 at 06:31
  • Can somebody please help me out regarding this??? – Sarath Sep 28 '13 at 08:08
  • You are going to have to be patient. A large portion of the serverfault users live in the US, where it is night time, and the start of the weekend. – Zoredache Sep 28 '13 at 08:11

0 Answers0