[Opendnssec-user] zonefetch.xml with TSIG
Pierre LEBRECH
pierre.lebrech at laposte.net
Wed Mar 10 08:44:49 UTC 2010
Hello Matthijs,
yes, "hmac-md5.sig-alg.reg.int" works far better...
So, now, TSIG works, thanks.
On Wed, Mar 03, 2010 at 03:09:57PM +0100, Matthijs Mekking wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Pierre,
>
> hmac-md5 is not a valid algorithm identifier.
> Please use hmac-md5.sig-alg.reg.int
>
> I'll add code that accepts the string 'hmac-md5' in the zonefetch as well.
>
> Best regards,
>
> Matthijs
>
> Pierre LEBRECH wrote:
> > Thanks Matthijs,
> >
> > here is what the log tell :
> >
> > ############################ snip
> > Mar 3 10:55:27 rdb zone_fetcher: zone fetcher received NOTIFY for zone
> > titi.fr
> > Mar 3 10:55:27 rdb zone_fetcher: zone fetcher failed to start axfr:
> > Could not create TSIG signature
> > Mar 3 10:55:27 rdb zone_fetcher: AXFR for zone 'titi.fr' failed
> > ############################ snip
> >
> > The BIND used is 9.6.1-P3
> >
> >
> > Matthijs Mekking wrote :
> >> There is a statement in the KNOWN_ISSUES file about TSIG
> >> incompatibility, due to BIND9's cryptographic library. However, that
> >> should not affect MD5.
> >>
> >> Does the syslog inform you why the transfer failed?
> >> Can you perhaps share the zonefetch.xml (off list)?
> >>
> >> Best regards,
> >>
> >> Matthijs Mekking
> >> NLnet Labs
> >>
> >> Pierre LEBRECH wrote:
> >>> Hello,
> >>> When I configure ODS to make AXFR without TSIG, zone_fetcher can
> >> transfer the zone. But if I use TSIG, it can not.
> >>
> >>> I tried a manual dig with TSIG and it worked, but within ODS it didn't.
> >>> So, where should I look to correct this?
> >>> Here is my TSIG statement within zonefetch.xml :
> >>> <TSIG>
> >>> <Name>hidden-ods</Name>
> >>> <Algorithm>hmac-md5</Algorithm>
> >>>
> >> <Secret>y7ZSL+SXOglczotXGiYxTS2zhMu34QnjCGx0aYg4TqjOyrEsuL9+ZsmLhaHB/QJQeoU63mOyVeqtfTwBxU8oxA==</Secret>
> >>> </TSIG>
> >>> The name "hidden-ods" is the BIND TSIG key name.
> >>> Thanks
> >>> _______________________________________________
> >>> Opendnssec-user mailing list
> >>> Opendnssec-user at lists.opendnssec.org
> >>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> >
> > _______________________________________________
> > Opendnssec-user mailing list
> > Opendnssec-user at lists.opendnssec.org
> > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iQEcBAEBAgAGBQJLjm2zAAoJEA8yVCPsQCW5hxsH/34pmOMhKlGONN7WIlrUDNOE
> Ale94I5sV6dEqpaD1wgpW52TM521z99zGSs0Z5nuJabFq1/h5BazNibOUkEakhCl
> c/pP6XbQSzBg1+WWkeTUk9twguAK9vRNFSUkWRWIqis2huX1+gYiPak9w+AgGZNx
> QXVKqOmrUNIH5XCKyhAdY/GIdlOzRsuT3R31eMxhZkj/pNoG9chkDM+Xr17O51k0
> +JaPWOXYB5OAQgp5BTRLCtReDW0oJcENp3LjvLXeulS8OKOK2zdPGC47apXWu4UG
> xkYnwBLyVsD/LZmf9fx+2MEF157Jm7CCwto62Z8L1T+r0UdQgim6gNPGX5LYKbU=
> =FSO6
> -----END PGP SIGNATURE-----
>
--
--
*****************************
Richard NAGY
Nameshield
27 rue des Arènes
F-49100 Angers
Tél : +33 2 41 18 28 28
Fax : +33 2 41 18 28 29
*****************************
Empreinte GnuPG :
143C 5220 45CA 2C7F 24C8 6811 E859 C2CA BECB 2EC0
More information about the Opendnssec-user
mailing list