[Opendnssec-user] ods2 AXFR request to nameserver fails , reports "bad packet: ... received error code NOTAUTH", but no traffic (tcpdump) seen ?
PGNet Dev
pgnet.dev at gmail.com
Sun Dec 25 20:11:47 UTC 2016
I'm running ods2, setting up for AXFR zone transfer from a Bind9 instance.
The bind9 server listens at
telnet 127.0.0.1 53
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
>From shell on the same box, a cmd-line transfer request
dig -b 127.0.0.1 axfr example.com @127.0.0.1
correctly returns
; <<>> DiG 9.11.0-P1 <<>> -b 127.0.0.1 axfr example.com @127.0.0.1
;; global options: +cmd
example.com. 5 IN SOA dns.example.com. adm.example.com. 1482370103 7200 1800 604800 5
...
and in my bind9 xfer logs, set to debug loglevel
...
category xfer-in { loglevel_debug; };
category xfer-out { loglevel_debug; };
category notify { loglevel_debug; };
category network { loglevel_debug; };
...
i see the ok start/end of the xfer,
...
Dec 25 11:44:11 dns named[28511]: 25-Dec-2016 11:44:11.600 xfer-out: info: client @0x7fb168074aa0 127.0.0.1#56479 (example.com): view internal: transfer of 'example.com/IN': AXFR started (serial 1482370103)
Dec 25 11:44:11 dns named[28511]: 25-Dec-2016 11:44:11.601 xfer-out: info: client @0x7fb168074aa0 127.0.0.1#56479 (example.com): view internal: transfer of 'example.com/IN': AXFR ended
...
and watching
tcpdump -i lo port 53
I see the full transaction traffic.
In opendnssec's addns.xml, I've config'd,
<?xml version="1.0" encoding="UTF-8"?>
<Adapter>
<DNS>
<TSIG>
<Name>ods-key</Name>
<Algorithm>hmac-sha256</Algorithm>
<Secret>xxx...xxx</Secret>
</TSIG>
<Inbound>
<!-- Address of host to request XFR from -->
<RequestTransfer>
<!-- EXAMPLE: send request to 1.2.3.4 on the default port 53 -->
<Remote>
<Address>127.0.0.1</Address>
<Port>53</Port>
<Key>ods-key</Key>
</Remote>
</RequestTransfer>
</Inbound>
</DNS>
</Adapter>
When I exec
/usr/local/opendnssec/sbin/ods-enforcer zone add \
--zone example.com \
--policy lab \
--in-type DNS \
--input /usr/local/etc/opendnssec/addns.xml
The axfr is attempted, but fails,
...
Dec 25 11:41:10 dns ods-enforcerd: [zone_add_cmd] zone example.com added [policy: lab]
Dec 25 11:41:10 dns ods-enforcerd: INFO: The XML in /var/opendnssec/enforcer/zones.xml is valid
Dec 25 11:41:10 dns ods-enforcerd: INFO: The XML in /var/opendnssec/enforcer/zones.xml.update is valid
Dec 25 11:41:10 dns ods-enforcerd: [zone_add_cmd] internal zonelist updated successfully
Dec 25 11:41:10 dns ods-enforcerd: 1 zone(s) found on policy "lab"
Dec 25 11:41:10 dns ods-enforcerd: [hsm_key_factory_generate] 1 keys needed for 1 zones covering 86400 seconds, generating 1 keys for policy lab
Dec 25 11:41:10 dns ods-enforcerd: 1 new KSK(s) (256 bits) need to be created.
Dec 25 11:41:11 dns ods-enforcerd: 1 zone(s) found on policy "lab"
Dec 25 11:41:11 dns ods-enforcerd: [hsm_key_factory_generate] 6 keys needed for 1 zones covering 86400 seconds, generating 6 keys for policy lab
Dec 25 11:41:11 dns ods-enforcerd: 6 new ZSK(s) (256 bits) need to be created.
Dec 25 11:41:13 dns ods-enforcerd: [enforcer] update zone: example.com
Dec 25 11:41:15 dns ods-enforcerd: 1 zone(s) found on policy "lab"
Dec 25 11:41:15 dns ods-enforcerd: [hsm_key_factory_generate] 1 keys needed for 1 zones covering 86400 seconds, generating 1 keys for policy lab
Dec 25 11:41:15 dns ods-enforcerd: 1 new KSK(s) (256 bits) need to be created.
Dec 25 11:41:15 dns ods-enforcerd: 1 zone(s) found on policy "lab"
Dec 25 11:41:15 dns ods-enforcerd: [hsm_key_factory_generate] 6 keys needed for 1 zones covering 86400 seconds, generating 1 keys for policy lab
Dec 25 11:41:15 dns ods-enforcerd: 1 new ZSK(s) (256 bits) need to be created.
Dec 25 11:41:16 dns ods-enforcerd: [signconf_cmd] performing signconf for zone example.com
Dec 25 11:41:16 dns ods-enforcerd: [signconf_cmd] signconf done for zone example.com, notifying signer
Dec 25 11:41:16 dns ods-signerd: [xfrd] zone example.com request axfr to 127.0.0.1
Dec 25 11:41:16 dns ods-signerd: [xfrd] bad packet: zone example.com received error code NOTAUTH from 127.0.0.1
Dec 25 11:41:16 dns ods-signerd: [xfrd] zone example.com, from 127.0.0.1 has tsig error (Bad Key)
Dec 25 11:41:16 dns ods-signerd: [xfrd] unable to process tsig: xfr zone example.com from 127.0.0.1 has bad tsig signature
Dec 25 11:41:16 dns ods-signerd: [xfrd] bad packet: zone example.com received bad tsig from 127.0.0.1
Dec 25 11:41:16 dns ods-signerd: [xfrd] zone example.com request axfr to 127.0.0.1
Dec 25 11:41:16 dns ods-signerd: [xfrd] bad packet: zone example.com received error code NOTAUTH from 127.0.0.1
Dec 25 11:41:16 dns ods-signerd: [xfrd] zone example.com, from 127.0.0.1 has tsig error (Bad Key)
Dec 25 11:41:16 dns ods-signerd: [xfrd] unable to process tsig: xfr zone example.com from 127.0.0.1 has bad tsig signature
Dec 25 11:41:16 dns ods-signerd: [xfrd] bad packet: zone example.com received bad tsig from 127.0.0.1
Dec 25 11:41:16 dns ods-signerd: [xfrd] zone example.com request axfr to 127.0.0.1
Dec 25 11:41:16 dns ods-signerd: [xfrd] bad packet: zone example.com received error code NOTAUTH from 127.0.0.1
Dec 25 11:41:16 dns ods-signerd: [xfrd] zone example.com, from 127.0.0.1 has tsig error (Bad Key)
Dec 25 11:41:16 dns ods-signerd: [xfrd] unable to process tsig: xfr zone example.com from 127.0.0.1 has bad tsig signature
Dec 25 11:41:16 dns ods-signerd: [xfrd] bad packet: zone example.com received bad tsig from 127.0.0.1
Dec 25 11:41:24 dns ods-signerd: [tools] unable to read zone example.com: adapter failed (Incoming zone transfer not ready)
Dec 25 11:41:24 dns ods-signerd: back-off task [read] for zone example.com with 60 seconds
and there's no trace of it in the Bind9 xfer logs ...
nor any output at all at
tcpdump -i lo port 53
i.e., it _appears_ as if no request is actually initiated/sent.
Is there additional config needed? Or is this a known bug? Or something else entirely ... ?
More information about the Opendnssec-user
mailing list