[Opendnssec-user] ods2 AXFR request to nameserver fails , reports "bad packet: ... received error code NOTAUTH", but no traffic (tcpdump) seen ?

PGNet Dev pgnet.dev at gmail.com
Sun Dec 25 23:51:13 UTC 2016

On 12/25/2016 02:41 PM, Havard Eidnes wrote:
>> From shell on the same box, a cmd-line transfer request
>> 	dig -b axfr example.com @
> This one doesn't use TSIG.  If it did, you'd be using the -y option.

Actually, that was simply to verify AXFR transferability & connection ...

>From cmd line @ shell,

 dig -b axfr example.com @ -y hmac-sha256:ods-key:xxx...xxx

works as well.

AND, I see the traffic in tcpdump, as above.

> You've configured OpenDNSSEC to use TSIG.  You then need to make
> the corresponding configuration on your BIND name server to
> recognize that key, in the form
> key ods-key {
>     algorithm hmac-sha256;
>     secret "xxx...xxx";
> };

Yes, and it's included.  I transfer to/from other nameservers, using other keys, with no issue.

>> 	Dec 25 11:41:16 dns ods-signerd: [xfrd] bad packet: zone example.com received error code NOTAUTH from
> This is a hint.
>> 	Dec 25 11:41:16 dns ods-signerd: [xfrd] zone example.com, from has tsig error (Bad Key)
> And this is the smoking gun.

I'm not convinced that it is.

I'd expect that there's SOME traffic shown via tcpdump in the ods2 usages case, EVEN IF it's NOTAUTH'd.  Unfortunately, it's not.

Unless there's a reason I've missed/misunderstood why traffic WOULD show up when invoking AXFR from the cmd line, but not when invoked by ODS2 ...

More information about the Opendnssec-user mailing list