[nsd-users] TSIG issue

W.C.A. Wijngaards wouter at nlnetlabs.nl
Mon Apr 14 08:52:40 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi İhsan,

On 04/14/2014 07:49 AM, İhsan Doğan wrote:
> Hi,
> 
> I'm running into a TSIG issue with NSD 4.0.3. The master runs NSD 
> 4.0.3 on Solaris 10 Sparc, the slave server runs NSD 4.0.3 on 
> FreeBSD 10 amd64.
> 
> On the master I have specified: zone: [...] notify: notify: x.x.x.x
> foo_key provide-xfr: provide-xfr: x.x.x.x foo_key key: name:
> "foo_key" algorithm: hmac-md5 secret: "xxxxxxxxxxxxxxxxxxxxxxxx"
> 
> And on the slave: zone: [...] allow-notify: y.y.y.y foo_key 
> request-xfr: AXFR y.y.y.y foo_key key: name: "foo_key" algorithm:
> hmac-md5 secret: "xxxxxxxxxxxxxxxxxxxxxxxx"
> 
> This setup works fine if the secondary is running Solaris 10 x86, 
> but unfortunately not with FreeBSD 10. As the setup works if I 
> specify NOKEY, it seems to be something wrong with TSIG.
> 
> Any idea what is going wrong here?

Could it be that FreeBSD's crypto implementation blacklists the md5
algorithm because it is considered too weak?  I.e. the crypto library
refuse the operation.  If so, use something like hmac-sha256.

NSD4 does not really have different code in TSIG compared to NSD3, by
the way.  So the exact NSD version number is unlikely to make a
difference.

Other than that a mistake in the freebsd config file, eg. different
secret or different key name.

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTS6HMAAoJEJ9vHC1+BF+NjrIP/0b0061kr3Vs4ceZeAPV+7TD
cMYtwp52M93Wrljzp9y0cRzqjsr+oACiJNub/Cm21PR3Zbxa45HWzEf+2CREab/0
ffQJqTbd6fMdbby7eG3H1eciLLz9f271cM1hZNGbOdBNijzBoeY+eIKzPpETMSZg
2a4GlDbFfp+8om7AUO+BtS1EWZX8/ZqnGTLW4QiHvJpQ4rRzFzbgqyR7qEjxVs8/
iTRUYFztnKQe4uiWha8bTcUFW7JAeP39C6VAl39uEIyup+KMiTcuCaANQHZiMjEp
fukCzww3PFgXgJgc3D+c+yJVi9dS/uvwNBE5BUhxgr2p5UbXi7J5WqdQRmA9X1vx
u6xE/TqfZYwrlemELoXBG/dsfHr9wd/hHkcrICSYh5YEPkRRYFjLnCtxrGA1Tw+T
irQRI9UTl1KB5BOjPnFHR5kmL41INSH1TbYCLmUfgEynSIkHKCSq6LufNS7e5COL
9VyEvu7lrSOo5gZDWH7FPqpCcrCBexMKG5XoquA/VE7chdvXK/Jva1JsSEtj7fvo
2gbu9YGwpwOdjdu9zkQX+9sxErB0W4d8OEc32PPobdfCAWsIrUMEC+AYp8V/ohOy
T+zhovn6ggzfzsJ+JSZ5FN9+RQGjlvJ9RLf+vsmv6y9t6y/P7k/uJYUPH2NUej+N
BhOspnzAq8zS5J/kW4Fd
=F3nl
-----END PGP SIGNATURE-----



More information about the nsd-users mailing list