[Opendnssec-user] [EXT] CRITICAL: failed to sign zone
Andrew Ivanov
ivanov at data1.co
Mon Aug 19 13:58:23 UTC 2019
On Mon, Aug 19, 2019 at 03:13:11PM +0200, Ulrich-Lorenz Schl??ter wrote:
> >>>> Aug 17 10:54:55 one ods-signerd[5550]: [xfrd] xfr/newlease from 127.0.0.1
> >>>> Aug 17 10:54:55 one ods-signerd[5550]: [xfrhandler] netio dispatch
> >>>> Aug 17 10:55:59 one ods-signerd[5550]: [socket] incoming udp message
> >>>> Aug 17 10:55:59 one ods-signerd[5550]: [tsig] parse: not TSIG or not ANY
> >>>> Aug 17 10:55:59 one ods-signerd[5550]: [tsig] parse: not TSIG or not ANY
> >>>> Aug 17 10:55:59 one ods-signerd[5550]: [query] too many additional rrs
> >>>> Aug 17 10:55:59 one ods-signerd[5550]: [query] formerr
> >>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >>> The problem is here. Check server TSIG-settings and adapters in addns.xml.
> >> I created new keys, changed from hmac-md5 to hmac-sha512, now I get:
> >> unable to sign request: tsig unknown algorithm hmac-sha512
> >
> > I guess, your current version of opendnssec does not support optional hmac algorithms.
> > Try to use hmac-sha256. This algorithm is mandatory.
> I changed to hmac-sha256.
> Still got the formerr
Your name server responds without TSIG. Check server logs and TSIG settings.
Regards
More information about the Opendnssec-user
mailing list