-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 When I try a simple drill, it seems to be working for me...
drill -p 5398 -y <tsigstuff> @<opendnssec> example.com soa ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 21616 ;; flags: qr aa rd ; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 0 ;; QUESTION SECTION: ;; example.com. IN SOA ;; ANSWER SECTION: example.com. 3600 IN SOA ns1.example.com. hostmaster.example.com. 2539 28800 7200 604800 3600 example.com. 3600 IN RRSIG SOA 8 2 3600 20120518081431 20120518080829 42244 example.com. 2czTwGPxjYue6kSIxU/G9IueI6Kw6u4tOjJxfvGYKmUUQyxtlHgNpIbcYjDdDDqdrnx/II6iVvtvBTb/DeBMWjcWkTizDgDudUZRM+Mr5rXitq9neaw+XFO0zo3JoW3Le7ibzd4tezKduMXAoSt+3oAB+kdqG1BUr1GL+krox/M= ;; AUTHORITY SECTION: example.com. 3600 IN NS ns2.example.com. example.com. 3600 IN NS ns1.example.com. example.com. 3600 IN RRSIG NS 8 2 3600 20120518081432 20120518080829 42244 example.com. 4isFLIZ0HbOCa0h9hiQwQKW3YjG/XTFwhKCLMnnLscembkVsRo/o26muRM/QEaUvp2mc7ocCtJDNIQi2sQUxE9NZ5F11bJoJDac7DYQx8pWg/2ZTFkA9sI0vGIgJodrx+5/wzneEyajJ+nB+AJkivDMuEOWw0WpvoiWyf/p7/LA= ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; TSIG: ;; tsig. 0 ANY TSIG hmac-sha256. 1337327616 300 32 tyY1srt5+FYUNV1PHuIztv21axyItvbwgzCbqS72oYE= 21616 0 0 ;; SERVER: 213.154.224.18 ;; WHEN: Fri May 18 10:09:35 2012 ;; MSG SIZE rcvd: 650 Logs: May 18 10:13:07 zoidberg ods-signerd: [socket] incoming udp message May 18 10:13:07 zoidberg ods-signerd: [query] zone pletterpet.nl. not found May 18 10:13:07 zoidberg ods-signerd: [query] tsig ok May 18 10:13:07 zoidberg ods-signerd: [query] incoming query qtype=SOA for zone pletterpet.nl May 18 10:13:07 zoidberg ods-signerd: [acl] match 213.154.224.30 May 18 10:13:07 zoidberg ods-signerd: [socket] query processed qstate=0 May 18 10:13:07 zoidberg ods-signerd: [socket] sending 650 bytes over udp May 18 10:13:07 zoidberg ods-signerd: [dnshandler] netio dispatch On 05/17/2012 05:03 PM, Daniel Salzman wrote: > It seems that Bind doesn't send AXFR at first but sends standard > query SOA with TSIG. OpenDNSSEC responses without TSIG on standard > query... > > Dan > > > On 05/16/2012 05:06 PM, Daniel Salzman wrote: >> Hi, >> >> I'm not sure where the problem is, but Bind (9.7.3, 9.8.1-P1) >> rarely downloads zone from OpenDNSSEC (1.4.0-trunk r6339). Dig >> utility or KnotDNS downloads zone each time. >> >> Logs for unsuccessful case: >> >> == 172.20.20.215 == May 16 16:56:11 nic ods-signerd: [socket] >> incoming udp message May 16 16:56:11 nic ods-signerd: [query] >> tsig ok May 16 16:56:11 nic ods-signerd: [query] incoming query >> qtype=SOA for zone ccc.cz May 16 16:56:11 nic ods-signerd: [acl] >> match 172.20.20.201 May 16 16:56:11 nic ods-signerd: [socket] >> query processed qstate=0 May 16 16:56:11 nic ods-signerd: >> [socket] sending 594 bytes over udp May 16 16:56:11 nic >> ods-signerd: [dnshandler] netio dispatch >> >> == 172.20.20.201 == May 16 16:55:41 dan named[26167]: zone >> ccc.cz/IN: refresh: failure trying master 172.20.20.215#1053 >> (source 0.0.0.0#0): expected a TSIG or SIG(0) >> >> >> (sorry for spamming) Dan > _______________________________________________ Opendnssec-user > mailing list [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPtgV1AAoJEA8yVCPsQCW5YesIAJ+i+kJo2mEB0FnaVH8/K8I9 LwiWlogsLYWx2yDK5ZGIMGh6hybcQNIo6fh7sypkSO5d8XmhjZE0Fn9EJy5boMdq rri2sM0Qp4eFjIy1q9eYD1Bz9llGShU01VzSSzxS6UYUz34cF+EC+t/0mwr+Kv2Z h4Bo2e7ByCqhWxMQ4odS48INGf/eP4iK/f+v9ldMc9gv5Sf2/7yeDjiqLMJXxGXg 2ZLj0p3lyF5VqTnCIJbQJb7e85ih4fut4zPkIKlKBtju6HVg1CCgnddkIP0jrhda wApmsuNz0YY6NzHlhGJE/IAE/FY37MD1ZoExE4urEkuL5nkNYijTsmOLxH4scZ0= =pDay -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
