I'm running into a TSIG issue with NSD 4.0.3. The master runs NSD
4.0.3 on Solaris 10 Sparc, the slave server runs NSD 4.0.3 on
FreeBSD 10 amd64.
On the master I have specified:
zone:
[...]
notify: notify: x.x.x.x foo_key
provide-xfr: provide-xfr: x.x.x.x foo_key
key:
name: "foo_key"
algorithm: hmac-md5
secret: "xxxxxxxxxxxxxxxxxxxxxxxx"
And on the slave:
zone:
[...]
allow-notify: y.y.y.y foo_key
request-xfr: AXFR y.y.y.y foo_key
key:
name: "foo_key"
algorithm: hmac-md5
secret: "xxxxxxxxxxxxxxxxxxxxxxxx"
This setup works fine if the secondary is running Solaris 10 x86,
but unfortunately not with FreeBSD 10. As the setup works if I
specify NOKEY, it seems to be something wrong with TSIG.
I'm running into a TSIG issue with NSD 4.0.3. The master runs NSD
4.0.3 on Solaris 10 Sparc, the slave server runs NSD 4.0.3 on
FreeBSD 10 amd64.
On the master I have specified: zone: [...] notify: notify: x.x.x.x
foo_key provide-xfr: provide-xfr: x.x.x.x foo_key key: name:
"foo_key" algorithm: hmac-md5 secret: "xxxxxxxxxxxxxxxxxxxxxxxx"
And on the slave: zone: [...] allow-notify: y.y.y.y foo_key
request-xfr: AXFR y.y.y.y foo_key key: name: "foo_key" algorithm:
hmac-md5 secret: "xxxxxxxxxxxxxxxxxxxxxxxx"
This setup works fine if the secondary is running Solaris 10 x86,
but unfortunately not with FreeBSD 10. As the setup works if I
specify NOKEY, it seems to be something wrong with TSIG.
Any idea what is going wrong here?
Could it be that FreeBSD's crypto implementation blacklists the md5
algorithm because it is considered too weak? I.e. the crypto library
refuse the operation. If so, use something like hmac-sha256.
NSD4 does not really have different code in TSIG compared to NSD3, by
the way. So the exact NSD version number is unlikely to make a
difference.
Other than that a mistake in the freebsd config file, eg. different
secret or different key name.