O.k. taking Nates mail and running with it I've hit a dead end. Not sure
what I'm doing wrong but here goes.
ns1 == my nameserver
mybox == my firewall at home on cable modem
Both boxen are redhat-7.3 and have the same bind version
I generated key with following command
dnssec-keygen -a hmac-md5 -b 128 -n HOST www.dolly-llama.org.
I copy the files generated to my firewall box. My named.conf on my ns
server has the following in it.
key www.dolly-llama.org. {
algorithm hmac-md5;
secret "base64fromkeyfile.priv";
};
zone "dolly-llama.org" {
type master;
allow-query { any; };
file "slave/dolly-llama.org.zone";
update-policy {
grant www.dolly-llama.org. name www.dolly-llama.org. A
};
};
I have bind setup chroot()ed and secure so the only place it can write is
slave/ directory.
Only thing that zone file has in it is the necessary stuff. there is no www
record in it. When I run nsupdate -k /path/to/crazynamedkeyfile and tap tap
tap in all th goodies to add my www host, after the final extra \n I get
dns_request_getresponse: tsig indicates error
and in the logs on the nameserver I see
Jun 4 21:39:25 ns1 named{15528]: client 24.245.5.130#32811: request has
invalid signature: tsig verify failure
Now I ask you, what the heck am I missing?
--
Ben Lutgens | http://people.sistina.com/~blutgens/
System Administrator | http://www.sistina.com/
Sistina Software Inc. |
"I got a wife and kids too but you don't see me out here stealing Imperial
Droids now do ya?"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20020605/0561f85f/attachment.pgp