[Opendnssec-user] zonefetch.xml with TSIG

Matthijs Mekking matthijs at NLnetLabs.nl
Wed Mar 3 14:09:57 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Pierre,

hmac-md5 is not a valid algorithm identifier.
Please use hmac-md5.sig-alg.reg.int

I'll add code that accepts the string 'hmac-md5' in the zonefetch as well.

Best regards,

Matthijs

Pierre LEBRECH wrote:
> Thanks Matthijs,
> 
> here is what the log tell :
> 
> ############################ snip
> Mar  3 10:55:27 rdb zone_fetcher: zone fetcher received NOTIFY for zone
> titi.fr
> Mar  3 10:55:27 rdb zone_fetcher: zone fetcher failed to start axfr:
> Could not create TSIG signature
> Mar  3 10:55:27 rdb zone_fetcher: AXFR for zone 'titi.fr' failed
> ############################ snip
> 
> The BIND used is 9.6.1-P3
> 
> 
> Matthijs Mekking wrote :
>> There is a statement in the KNOWN_ISSUES file about TSIG
>> incompatibility, due to BIND9's cryptographic library. However, that
>> should not affect MD5.
>>
>> Does the syslog inform you why the transfer failed?
>> Can you perhaps share the zonefetch.xml (off list)?
>>
>> Best regards,
>>
>> Matthijs Mekking
>> NLnet Labs
>>
>> Pierre LEBRECH wrote:
>>> Hello,
>>> When I configure ODS to make AXFR without TSIG, zone_fetcher can
>> transfer the zone. But if I use TSIG, it can not.
>>
>>> I tried a manual dig with TSIG and it worked, but within ODS it didn't.
>>> So, where should I look to correct this?
>>> Here is my TSIG statement within zonefetch.xml :
>>> <TSIG>
>>>      <Name>hidden-ods</Name>
>>>      <Algorithm>hmac-md5</Algorithm>
>>>     
>> <Secret>y7ZSL+SXOglczotXGiYxTS2zhMu34QnjCGx0aYg4TqjOyrEsuL9+ZsmLhaHB/QJQeoU63mOyVeqtfTwBxU8oxA==</Secret>
>>> </TSIG>
>>> The name "hidden-ods" is the BIND TSIG key name.
>>> Thanks
>>> _______________________________________________
>>> Opendnssec-user mailing list
>>> Opendnssec-user at lists.opendnssec.org
>>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJLjm2zAAoJEA8yVCPsQCW5hxsH/34pmOMhKlGONN7WIlrUDNOE
Ale94I5sV6dEqpaD1wgpW52TM521z99zGSs0Z5nuJabFq1/h5BazNibOUkEakhCl
c/pP6XbQSzBg1+WWkeTUk9twguAK9vRNFSUkWRWIqis2huX1+gYiPak9w+AgGZNx
QXVKqOmrUNIH5XCKyhAdY/GIdlOzRsuT3R31eMxhZkj/pNoG9chkDM+Xr17O51k0
+JaPWOXYB5OAQgp5BTRLCtReDW0oJcENp3LjvLXeulS8OKOK2zdPGC47apXWu4UG
xkYnwBLyVsD/LZmf9fx+2MEF157Jm7CCwto62Z8L1T+r0UdQgim6gNPGX5LYKbU=
=FSO6
-----END PGP SIGNATURE-----

More information about the Opendnssec-user mailing list