linux – BIND 9的nsupdate dyndns更新提供:“tsig verify fail
|
我已经浏览了DDNS上的这么多HOWTO页面试图解决这个问题……我很茫然.
WorkstationX = CentOS 6.2 x64 我不明白为什么它不起作用……我实际上是出于想法.我已经多次重新生成并重新配置了所有内容. 我已经确定了: >在两台主机上运行NTPD,我已验证NTP正在运行 > linux.yyz.us/nsupdate/ 他们中的一些有不同的生成密钥的方法,但其余的是相同的……当我尝试nsupdate时 – 即使在运行dnssec-keygen的服务器上(以及绑定的地方),我得到相同的日志项: Aug 14 11:20:38 vps named[31247]: 14-Aug-2013 11:20:38.032 security: error: client 127.0.0.1#29403: view public: request has invalid signature: TSIG domain2.com.au.: tsig verify failure (BADKEY) 从这个nsupdate: nsupdate -k Kdomain2.com.au.+157+35454.key server localhost zone domain2.com.au. update add test.domain2.com.au. 86400 IN A 10.20.30.40 show send 我收集的是CORRECT生成的方法: dnssec-keygen -a HMAC-MD5 -b 512 -n HOST domain2.com.au. named.conf(IP已被更改为隐私): acl ipv4 { 0.0.0.0/0; };
acl ipv6 { 2000::/3; ::1; fe80::/10; fec0::/10; };
acl safehosts { 127.0.0.0/8; 3.2.2.40; 44.44.14.12; };
include "/etc/bind/rndc.key";
controls {
inet * port 953
allow { safehosts; } keys { "rndc-key"; };
};
options
{
auth-nxdomain yes;
empty-zones-enable no;
zone-statistics yes;
dnssec-enable yes;
listen-on { any; };
listen-on-v6 { any; };
directory "/etc/bind/db";
managed-keys-directory "/etc/bind/keys";
memstatistics-file "/etc/bind/data/bind.memstats";
statistics-file "/etc/bind/data/bind.qstats";
};
logging
{
## CUT ##
};
view "public"
{
recursion yes;
allow-query-cache { safehosts; };
allow-recursion { safehosts; };
zone "." IN {
type hint;
file "root.zone";
};
zone "0.0.127.in-addr.arpa" {
type master;
allow-update { none; };
allow-transfer { none; };
file "0.0.127.in-addr.arpa.zone";
};
zone "localhost" {
type master;
allow-update { none; };
allow-transfer { none; };
file "localhost.zone";
};
zone "3.2.2.in-addr.arpa" {
type master;
allow-update { none; };
allow-transfer { none; };
file "3.2.2.in-addr.arpa.zone";
};
zone "domain1.com.au" {
type master;
notify yes;
allow-update { key "rndc-key"; };
allow-transfer { key "rndc-key"; };
file "domain1.com.au.zone";
};
zone "domain2.com.au" {
type master;
notify yes;
allow-update { key "rndc-key"; };
allow-transfer { key "rndc-key"; };
file "doomain2.com.au.zone";
};
};
/etc/bind/rndc.key: key "rndc-key" {
algorithm hmac-md5;
secret "vZwCYBx4OAOsBrbdlooUfBaQx+kwEi2eLDXdr+JMs4ykrwXKQTtDSg/jp7eHnw39IehVLMtuVECTqfOwhXBm0A==";
};
Kdomain1.com.au. 157 35454.private Private-key-format: v1.3 Algorithm: 157 (HMAC_MD5) Key: vZwCYBx4OAOsBrbdlooUfBaQx+kwEi2eLDXdr+JMs4ykrwXKQTtDSg/jp7eHnw39IehVLMtuVECTqfOwhXBm0A== Bits: AAA= Created: 20130814144733 Publish: 20130814144733 Activate: 20130814144733 解决方法
nsupdate有一些怪癖,并在使用-k调用时采用一些命名约定.从手册页中,我认为您的密钥名称可能会以某种方式被称为domain2.com.au.
你可以试试以下吗? nsupdate -y 'rndc-key:vZwCYBx4OAOsBrbdlooUfBaQx+kwEi2eLDXdr+JMs4ykrwXKQTtDSg/jp7eHnw39IehVLMtuVECTqfOwhXBm0A==' (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |