[Opendnssec-user] ods2 AXFR request to nameserver fails , reports "bad packet: ... received error code NOTAUTH", but no traffic (tcpdump) seen ?

Havard Eidnes he at uninett.no
Sun Dec 25 22:41:30 UTC 2016

> From shell on the same box, a cmd-line transfer request
> 	dig -b axfr example.com @

This one doesn't use TSIG.  If it did, you'd be using the -y option.

> In opendnssec's addns.xml, I've config'd,
> 	<?xml version="1.0" encoding="UTF-8"?>
> 	<Adapter>
> 		<DNS>
> 			<TSIG>
> 				<Name>ods-key</Name>
> 				<Algorithm>hmac-sha256</Algorithm>
> 				<Secret>xxx...xxx</Secret>
> 			</TSIG>

You've configured OpenDNSSEC to use TSIG.  You then need to make
the corresponding configuration on your BIND name server to
recognize that key, in the form

key ods-key {
    algorithm hmac-sha256;
    secret "xxx...xxx";

> 	Dec 25 11:41:16 dns ods-signerd: [xfrd] bad packet: zone example.com received error code NOTAUTH from

This is a hint.

> 	Dec 25 11:41:16 dns ods-signerd: [xfrd] zone example.com, from has tsig error (Bad Key)

And this is the smoking gun.


- Håvard

More information about the Opendnssec-user mailing list