TSIG, multiple masters?

Mans_Nilsson1 · February 19, 2004, 4:06pm

Hi,

I have a config file problem, if not a nsdc bug...

How am I supposed to handle multiple masters with TSIG ACL on
AXFR? Right now, I have this setup:

zone se slave/se masters 192.36.XXX.XXX 194.17.XXX.XXX

.. and the corresponding files 192.36.XXX.XXX.tsiginfo and
194.17.XXX.XXX.tsiginfo in my keys dir.

If I insert the following debug code into nsdc, I see no trace
of the files being used:

  # take care of tsig info file if any
  unset tsiginfoarg
  if [ -f "${keysdir}/${masters}.tsiginfo" ]
     then
     ln "${keysdir}/${masters}.tsiginfo" "${keysdir}/${masters}.tsiginfo.$$"
     tsiginfoarg="-T ${keysdir}/${masters}.tsiginfo.$$"
     printf "using ${keysdir}/${masters}.tsiginfo for master ${masters} and
zone ${zone}\n"
  fi
$namedxfer -z $zone -f ${zonesdir}/$file ${tsiginfoarg} -s $serial $masters

Is this a bug, and if so, what is the workaround? If I
have simply missed documentation, I'd be more to be told to RTFM..

Erik_Rozendaal1 · February 19, 2004, 4:16pm

Måns Nilsson KTHNOC wrote:

Hi,

I have a config file problem, if not a nsdc bug...

How am I supposed to handle multiple masters with TSIG ACL on AXFR? Right now, I have this setup:

zone se slave/se masters 192.36.XXX.XXX 194.17.XXX.XXX

.. and the corresponding files 192.36.XXX.XXX.tsiginfo and 194.17.XXX.XXX.tsiginfo in my keys dir.

[...deleted...]

Is this a bug, and if so, what is the workaround? If I have simply missed documentation, I'd be more to be told to RTFM..

I believe this is a "known" bug in nsdc. Miek knows more about this, but he is currently on vacation. He should be back on Monday...

Erik

Miek_Gieben1 · February 22, 2004, 10:23am

[On 19 Feb, @17:16, Erik wrote in "Re: TSIG, multiple masters? ..."]

Måns Nilsson KTHNOC wrote:
>Hi,
>
>I have a config file problem, if not a nsdc bug...
>
>How am I supposed to handle multiple masters with TSIG ACL on
>AXFR? Right now, I have this setup:
>
>zone se slave/se masters 192.36.XXX.XXX 194.17.XXX.XXX
>
>.. and the corresponding files 192.36.XXX.XXX.tsiginfo and
>194.17.XXX.XXX.tsiginfo in my keys dir.

[...deleted...]

>
>Is this a bug, and if so, what is the workaround? If I
>have simply missed documentation, I'd be more to be told to RTFM..

I believe this is a "known" bug in nsdc. Miek knows more about this, but
he is currently on vacation. He should be back on Monday...

This is a bug in the script, I briefly looked at it a month ago. The
fix is to rewrite the entire tsig handling in the nsdc script. This
will happen for 2.0.1 or 2.0.2 (and maybe also for 1.2.5),

grtz Miek

Mans_Nilsson1 · February 22, 2004, 3:55pm

Ok, as I suspected then. I'll also try a stab at it myself. I suspect
patches are welcome?

Miek_Gieben1 · February 22, 2004, 3:59pm

[On 22 Feb, @16:55, Måns wrote in "Re: TSIG, multiple masters? ..."]

> fix is to rewrite the entire tsig handling in the nsdc script. This
> will happen for 2.0.1 or 2.0.2 (and maybe also for 1.2.5),

Ok, as I suspected then. I'll also try a stab at it myself. I suspect
patches are welcome?

always

grtz
Miek

Miek_Gieben1 · February 24, 2004, 10:14am

[On 22 Feb, @16:55, Måns wrote in "Re: TSIG, multiple masters? ..."]

> This is a bug in the script, I briefly looked at it a month ago. The
> fix is to rewrite the entire tsig handling in the nsdc script. This
> will happen for 2.0.1 or 2.0.2 (and maybe also for 1.2.5),

Ok, as I suspected then. I'll also try a stab at it myself. I suspect
patches are welcome?

I looked at it again. The reason that it fails with multiple masters
is that the .tsiginfo file is not recognized correctly ('cause of the space
between the masters' IP).

So I changed the ${masters}.tsiginfo to ${zone}.tsiginfo. If I read the named-xfer
man page correctly you can have multiple masters in one .tsiginfo file.

Måns could you confirm this does "something"?

grtz Miek

diff -u -r1.28 nsdc.sh.in
--- nsdc.sh.in 4 Feb 2004 12:17:07 -0000 1.28
+++ nsdc.sh.in 24 Feb 2004 10:08:28 -0000
@@ -124,10 +124,10 @@

                        # take care of tsig info file if any
                        unset tsiginfoarg
- if [ -f "${keysdir}/${masters}.tsiginfo" ]
+ if [ -f "${keysdir}/${zone}.tsiginfo" ]
                        then
- ln "${keysdir}/${masters}.tsiginfo" "${keysdir}/${masters}.tsiginfo.$$"
- tsiginfoarg="-T ${keysdir}/${masters}.tsiginfo.$$"
+ ln "${keysdir}/${zone}.tsiginfo" "${keysdir}/${zone}.tsiginfo.$$"
+ tsiginfoarg="-T ${keysdir}/${zone}.tsiginfo.$$"
                        fi

$namedxfer -z $zone -f ${zonesdir}/$file ${tsiginfoarg} -s $serial $masters