'RE: RE: tsig verify failed'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bind9-users
Subject:    RE: RE: tsig verify failed
From:       Holger.Zuleger () arcor ! net
Date:       2004-06-04 10:32:57
Message-ID: C1256EA9.0039FAF8.00 () ffm-hq-gtw01 ! Arcor ! net
[Download RAW message or body]

Hi Allan,

at first, sorry for my last message: I misread your posting, respectivl=
y didn=B4t
read it at all.

The NAT implementation on Cisco Routers do payload translation for seve=
ral
application protocols.
They do payload translation for DNS querys (maybe only A and TXT Record=
s?) but
not for zone transfers!
Have a look at the following FAQ page (see last question):
http://www.cisco.com/warp/public/cc/pd/iosw/ioft/iofwft/prodlit/iosnt_q=
p.htm

I guess that Cisco PIX NAT works similar (See second question on the sa=
me URL
and
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config=
/fixup.htm#xtocid5
 ).

Hope that helps

 Holger






NOC Alerts <NOCAlerts@kcinetworksolutions.com>@isc.org
02.06.2004 08:03

Gesendet von:  bind9-users-bounce@isc.org

An:     "'bind9-users@isc.org'" <bind9-users@isc.org>
Kopie:  (Blindkopie: Holger Zuleger/TND/Eschborn/Arcor)
Thema:  RE: tsig verify failed




-----Original Message-----
From: NOC Alerts
Sent: Monday, May 31, 2004 8:55 PM
To: 'bind9-users@isc.org'
Subject: RE: tsig verify failed


Hi

Just for your information, I have performed further tests and interesti=
ngly,
TSIG work when both my master and slave dns servers are placed in our
outside segment(i.e directly accessible to the internet, no NAT'ing or =
PIX
firewall restrictions). This obviously means there is some issues with =
TSIG
and either NAT'ing or the PIX. We also performed ethereal captures and =
there
are no differences in the UDP datagrams between a zone transfer using T=
SIG
when the boxes are in the DMZ and when they are directed connected to t=
he
internet. In the TSIG record itself, under the error section, it mentio=
ns
there are no errors.
Anybody have issues with TSIG and NAT/PIX???

Thanks in advance

-----Original Message-----
From: NOC Alerts [mailto:NOCAlerts@kcinetworksolutions.com]
Sent: Monday, May 24, 2004 2:55 PM
To: 'Ladislav Vobr'
Cc: 'bind9-users@isc.org'
Subject: RE: tsig verify failed


Yes I do. I have setup xntpd on both boxes and they are synchronised
correctly.

-----Original Message-----
From: Ladislav Vobr [mailto:lvobr@ies.etisalat.ae]
Sent: Monday, May 24, 2004 1:46 PM
Cc: 'bind9-users@isc.org'
Subject: Re: tsig verify failed


do you have proper timezone and time on both machines?, TSIG is
sensitive to time.

Ladislav

NOC Alerts wrote:
> Hello All
>
> I am currently building primary/secondary authoritative DNS servers f=
or
our
> domain at work and am getting this error when trying to configure the=
se 2
> servers for TSIG zone transfers. I am pretty sure my named.conf files=
 are
> correct as the zone transfers work properly when I attach the 2 serve=
rs
via
> crossover. Once these servers are connected to our DMZ I get the foll=
owing
> error for all zones using TSIG transfers.
>
> ......zone x.x.x.in-addr.arpa/IN: refresh: failure trying master
x.x.x.x#53:
> tsig verify failure
>
> A few things to note are:
> 1. Transfers work correctly when I choose not to use TSIG.
> 2. The 2 servers are being NAT'd(via PIX firewalls) to public IP's on=

> different networks. i.e Zone transfers occur across the public networ=
k.
> 3. TSIG verification and ZONE transfers work when using a crossover
between
> machines and changing the IP's so that the machines can communicate t=
o
each
> other.
> 4. Using Bind 9.2.3 on 1 server and Bind 9.2.3rc1 on the other. Built=
 on
> Solaris 9 for sparc.
>
> Thanks for any assistance.
>
> Allan
>
>



=



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic