HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Server Operation (http://www.howtoforge.com/forums/forumdisplay.php?f=5)
-   -   Bind, Debian, BADSIG (http://www.howtoforge.com/forums/showthread.php?t=38457)

CodeChris 24th August 2009 11:26

Bind, Debian, BADSIG
 
Hi,

I am setting up a master slave DNS system using two debian boxes, they
are the latest version using the dev branch. I roughly followed this
tut http://www.howtoforge.org/debian_bin...r_slave_system

With the IP's .24 is master and .25 is slave

My issue is my two servers (same location so it's not a router/ACL
problem) cannot sync, the times are correct and in syslog I see this
on the master

client 5.59.5.25#22342: request has invalid signature: TSIG transfer:
tsig verify failure (BADSIG)

and this on the slave

zone example.co.uk/IN: refresh: failure trying master 5.59.5.24#53
(source 0.0.0.0#0): tsig indicates error

I will post named.conf, I am sure the secret hash key comes from
Kservername.co.uk.private I made using dnssec-keygen....

// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/named.root";
};

key "TRANSFER" {
algorithm hmac-md5;
secret Cyo81M1X5SHjOz126BSW2w==;
};

server 5.59.5.25 {
keys {
TRANSFER;
};
};


and here is the slave

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

include "/etc/bind/rndc.key";

key "TRANSFER" {
algorithm hmac-md5;
secret "vGldxHA618+Om0y/uPfn+w==";
};

server 5.59.5.24 {
keys {
TRANSFER;
};
};

I have searched around but nobody seamed to have any answer that
called out to me, and as I said that tut has worked for other
people...

Thanks
Chris

CodeChris 25th August 2009 12:39

Has nobody seen this before?

Chris

falko 25th August 2009 14:39

No, I haven't seen this before... :confused:

CodeChris 25th August 2009 15:46

bollocks....maybe I should format and run through the tut again, I can't see anything I have done wrong though

CodeChris 26th August 2009 12:07

Just checking a few basic things, ntpdate has been updated on both servers, that is fine, here is the named.conf.local on both servers master then slave


//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "domain.co.uk" {
type master;
file "/etc/bind/master/db.domain.co.uk";
};

zone "example.co.uk" {
type master;
file "/etc/bind/master/db.example.co.uk";
};



//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "domain.co.uk" {
type slave;
file "/etc/bind/slave/db.domain.co.uk";
masters { 5.59.5.4; };
allow-notify { 5.59.5.4; };
};
zone "example.co.uk" {
type slave;
file "/etc/bind/slave/db.example.co.uk";
masters { 5.59.5.24; };
allow-notify {5.59.5.24; };
};

I am guessing they are fine?

gary_gb 27th October 2009 02:15

Hi,

Just had exactly the same problem myself and found that I needed to restart bind on the 'master':

sudo /etc/init.d/bind9 restart

Had me confused for quite a while, and like you, seems I double checked everything else, grrr.

Here were the errors that I was getting:
(test setup - master:ns1:192.168.0.101 slave:ns2:192.168.0.102 domain/zone:test.local)

MASTER:
tail /var/log/syslog
Oct 26 23:39:35 ns1 named[4481]: client 192.168.0.102#37378: request has invalid signature: TSIG transfer: tsig verify failure (BADKEY)

SLAVE:
tail /var/log/syslog
Oct 26 23:40:22 ns2 named[5111]: zone test.local/IN: refresh: failure trying master 192.168.0.101#53 (source 0.0.0.0#0): tsig indicates error

Stopped bind on slave, restarted on master, started on slave and lo and behold...

Oct 27 00:10:37 ns2 named[5303]: zone test.local/IN: Transfer started.
Oct 27 00:10:37 ns2 named[5303]: transfer of 'test.local/IN' from 192.168.0.101#53: connected using 192.168.0.102#33584
Oct 27 00:10:37 ns2 named[5303]: zone test.local/IN: transferred serial 2009102101: TSIG 'transfer'
Oct 27 00:10:37 ns2 named[5303]: transfer of 'test.local/IN' from 192.168.0.101#53: end of transfer

CodeChris 27th October 2009 23:14

Thank you very much Gary, I will look at this when I get back in the office.

So stop on master and slave, start on master, start on slave...ok seams simple enough after the hardship :)

CodeChris 28th October 2009 11:06

Annoyingly, that didnt fix my problems :( It just tries to do the transfer of the two domains I have specified and gives that error...I guess my problem is a bit more complicated then yours...bloody thing!!! :(

matey 28th October 2009 17:56

I noticed you use names and Gary used IP addresses. may be you need to edit your resolv.conf, restart /init.d/networking and try bind again?

CodeChris 29th October 2009 16:09

Thank you for your reply...I am struggling to see where you think I am using names and he is using IP address's, however??


All times are GMT +2. The time now is 19:15.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.