Navigation

CodeChris · #1 24th August 2009, 11:26

Hi,

I am setting up a master slave DNS system using two debian boxes, they
are the latest version using the dev branch. I roughly followed this
tut http://www.howtoforge.org/debian_bin...r_slave_system

With the IP's .24 is master and .25 is slave

My issue is my two servers (same location so it's not a router/ACL
problem) cannot sync, the times are correct and in syslog I see this
on the master

client 5.59.5.25#22342: request has invalid signature: TSIG transfer:
tsig verify failure (BADSIG)

and this on the slave

zone example.co.uk/IN: refresh: failure trying master 5.59.5.24#53
(source 0.0.0.0#0): tsig indicates error

I will post named.conf, I am sure the secret hash key comes from
Kservername.co.uk.private I made using dnssec-keygen....

// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/named.root";
};

key "TRANSFER" {
algorithm hmac-md5;
secret Cyo81M1X5SHjOz126BSW2w==;
};

server 5.59.5.25 {
keys {
TRANSFER;
};
};

and here is the slave

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

include "/etc/bind/rndc.key";

key "TRANSFER" {
algorithm hmac-md5;
secret "vGldxHA618+Om0y/uPfn+w==";
};

server 5.59.5.24 {
keys {
TRANSFER;
};
};

I have searched around but nobody seamed to have any answer that
called out to me, and as I said that tut has worked for other
people...

Thanks
Chris

CodeChris · #2 25th August 2009, 12:39

Has nobody seen this before?

Chris

falko · #3 25th August 2009, 14:39

No, I haven't seen this before...

CodeChris · #4 25th August 2009, 15:46

bollocks....maybe I should format and run through the tut again, I can't see anything I have done wrong though

CodeChris · #5 26th August 2009, 12:07

Just checking a few basic things, ntpdate has been updated on both servers, that is fine, here is the named.conf.local on both servers master then slave

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "domain.co.uk" {
type master;
file "/etc/bind/master/db.domain.co.uk";
};

zone "example.co.uk" {
type master;
file "/etc/bind/master/db.example.co.uk";
};

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "domain.co.uk" {
type slave;
file "/etc/bind/slave/db.domain.co.uk";
masters { 5.59.5.4; };
allow-notify { 5.59.5.4; };
};
zone "example.co.uk" {
type slave;
file "/etc/bind/slave/db.example.co.uk";
masters { 5.59.5.24; };
allow-notify {5.59.5.24; };
};

I am guessing they are fine?

gary_gb · #6 27th October 2009, 02:15

Hi,

Just had exactly the same problem myself and found that I needed to restart bind on the 'master':

sudo /etc/init.d/bind9 restart

Had me confused for quite a while, and like you, seems I double checked everything else, grrr.

Here were the errors that I was getting:
(test setup - master:ns1:192.168.0.101 slave:ns2:192.168.0.102 domain/zone:test.local)

MASTER:
tail /var/log/syslog
Oct 26 23:39:35 ns1 named[4481]: client 192.168.0.102#37378: request has invalid signature: TSIG transfer: tsig verify failure (BADKEY)

SLAVE:
tail /var/log/syslog
Oct 26 23:40:22 ns2 named[5111]: zone test.local/IN: refresh: failure trying master 192.168.0.101#53 (source 0.0.0.0#0): tsig indicates error

Stopped bind on slave, restarted on master, started on slave and lo and behold...

Oct 27 00:10:37 ns2 named[5303]: zone test.local/IN: Transfer started.
Oct 27 00:10:37 ns2 named[5303]: transfer of 'test.local/IN' from 192.168.0.101#53: connected using 192.168.0.102#33584
Oct 27 00:10:37 ns2 named[5303]: zone test.local/IN: transferred serial 2009102101: TSIG 'transfer'
Oct 27 00:10:37 ns2 named[5303]: transfer of 'test.local/IN' from 192.168.0.101#53: end of transfer

CodeChris · #7 27th October 2009, 23:14

Thank you very much Gary, I will look at this when I get back in the office.

So stop on master and slave, start on master, start on slave...ok seams simple enough after the hardship

CodeChris · #8 28th October 2009, 11:06

Annoyingly, that didnt fix my problems

It just tries to do the transfer of the two domains I have specified and gives that error...I guess my problem is a bit more complicated then yours...bloody thing!!!