[Opendnssec-user] ods2 AXFR request to nameserver fails , reports "bad packet: ... received error code NOTAUTH", but no traffic (tcpdump) seen ?
PGNet Dev
pgnet.dev at gmail.com
Tue Dec 27 00:52:35 UTC 2016
I'm losing track of all my own attempts :-/ So a quick summary:
I've set up my bind9 server to listen on 10.1.1.53 & 127.0.0.1.
transfers are ONLY allowed with TSIG. testing from shell on the same box,
dig -b 127.0.0.1 axfr example.com @127.0.0.1
; <<>> DiG 9.11.0-P1 <<>> -b 127.0.0.1 axfr example.com @127.0.0.1
;; global options: +cmd
; Transfer failed.
dig -b 127.0.0.1 axfr example.com @127.0.0.1 -k /usr/local/etc/named/keys/ods.key
; <<>> DiG 9.11.0-P1 <<>> -b 127.0.0.1 axfr example.com @127.0.0.1 -k /usr/local/etc/named/keys/ods.key
...
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 26 16:24:32 PST 2016
;; XFR size: 19 records (messages 1, bytes 1902)
since ODS2 is on the same box, it should be communicating for axfr only on localhost. it is, with config
cat conf.xml
...
<Signer>
<Listener>
<Interface>
<Address>127.0.0.1</Address>
<Port>15354</Port>
</Interface>
<Interface>
<Address>10.1.1.53</Address>
<Port>15354</Port>
</Interface>
</Listener>
<Privileges>
...
and
cat addns.xml
<?xml version="1.0" encoding="UTF-8"?>
<Adapter>
<DNS>
<TSIG>
<Name>ods-key</Name>
<Algorithm>hmac-sha256</Algorithm>
<Secret>xxx...xxx</Secret>
</TSIG>
<Inbound>
<RequestTransfer>
<Remote>
<Address>127.0.0.1</Address>
<Port>53</Port>
<Key>ods-key</Key>
</Remote>
</RequestTransfer>
<AllowNotify>
<Peer>
<Prefix>127.0.0.1</Prefix>
<Key>ods-key</Key>
</Peer>
</AllowNotify>
</Inbound>
...
</DNS>
</Adapter>
...
signerd listens as configured
netstat -npla|grep :15354
tcp 0 0 10.1.1.53:15354 0.0.0.0:* LISTEN 14482/ods-signerd
tcp 0 0 127.0.0.1:15354 0.0.0.0:* LISTEN 14482/ods-signerd
udp 0 0 10.1.1.53:15354 0.0.0.0:* 14482/ods-signerd
udp 0 0 127.0.0.1:15354 0.0.0.0:* 14482/ods-signerd
and axfr from bind works as expected
/usr/local/opendnssec/sbin/ods-signer retransfer example.com
Zone example.com being re-transfered.
tail -f opendnssec.log
...
Dec 26 16:32:23 dns ods-signerd: [xfrd] zone example.com request axfr to 127.0.0.1
Dec 26 16:32:23 dns ods-signerd: [xfrd] zone example.com transfer done [notify acquired 0, serial on disk 1482770644, notify serial 0]
at this point, if --out-type == file, the zone's signed to
/var/opendnssec/signed/example.com
notify mail, containing the new key, is sent/received correctly via a "<DelegationSignerSubmitCommand>" script, and we're done.
But, if --out-type == DNS, with add'l config
cat addns.xml
<Adapter>
<DNS>
...
<Outbound>
<ProvideTransfer>
<Peer>
<Prefix>10.2.2.53</Prefix>
<Key>ods-key</Key>
</Peer>
</ProvideTransfer>
<Notify>
<Remote>
<Address>10.2.2.53</Address>
<Port>53</Port>
</Remote>
</Notify>
</Outbound>
</DNS>
</Adapter>
signing fails
tail -f opendnssec.log
...
Dec 26 16:32:26 dns ods-signerd: [notify] unable to send data over udp to 10.2.2.53: sendto() failed (Invalid argument)
Dec 26 16:32:26 dns ods-signerd: [notify] unable to send notify retry 1 for zone example.com to 10.2.2.53: notify_send_udp() failed
which leads to this bug report
"error logging for failed ods-signer remote NOTIFY reports only "sendto() failed (Invalid argument)", no additional detail"
https://issues.opendnssec.org/browse/SUPPORT-206
I think 1st order of biz is to fix the "Invalid argument" as in the bug, and find out what the sendto() error *is* ...
More information about the Opendnssec-user
mailing list