[Opendnssec-user] [EXT] CRITICAL: failed to sign zone
Andrew Ivanov
ivanov at data1.co
Mon Aug 19 12:41:48 UTC 2019
On Mon, Aug 19, 2019 at 02:05:37PM +0200, Ulrich-Lorenz Schl??ter wrote:
> Am 19.08.19 um 11:17 schrieb Andrew Ivanov:
> > On Sat, Aug 17, 2019 at 11:04:58AM +0200, Ulrich-Lorenz Schl??ter wrote:
> >> Am 16.08.19 um 20:36 schrieb Berry A.W. van Halderen:
> >>> On 8/16/19 6:21 PM, Ulrich-Lorenz Schl??ter wrote:
> >>>> I checked perms as described.
> >>>> Turned up logging verbosity.
> >>>> "ods-ksmutil key list --verbose" does not spit out any keys.
> >>>>
> >>>
> >> parsed (res 5)
> >> Aug 17 10:54:55 one ods-signerd[5550]: [xfrd] xfr/newlease from 127.0.0.1
> >> Aug 17 10:54:55 one ods-signerd[5550]: [xfrhandler] netio dispatch
> >> Aug 17 10:55:59 one ods-signerd[5550]: [socket] incoming udp message
> >> Aug 17 10:55:59 one ods-signerd[5550]: [tsig] parse: not TSIG or not ANY
> >> Aug 17 10:55:59 one ods-signerd[5550]: [tsig] parse: not TSIG or not ANY
> >> Aug 17 10:55:59 one ods-signerd[5550]: [query] too many additional rrs
> >> Aug 17 10:55:59 one ods-signerd[5550]: [query] formerr
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > The problem is here. Check server TSIG-settings and adapters in addns.xml.
> I created new keys, changed from hmac-md5 to hmac-sha512, now I get:
> unable to sign request: tsig unknown algorithm hmac-sha512
I guess, your current version of opendnssec does not support optional hmac algorithms.
Try to use hmac-sha256. This algorithm is mandatory.
Regards.
More information about the Opendnssec-user
mailing list