dig axfr and TSIG
Alexander Ottl
aottl at mpmail.net
Tue Dec 26 15:04:12 UTC 2000
Dear Group,
When I started testing TSIG validated zone transfers between my name
servers I noticed that dig has a problem with this under certain
conditions. I did some tests with a dummy domain named "intern" and a
key named "test."
Software version is BIND 8.2.2P7 on SuSE Linux 6.3 and 6.4
dnskeygen -H 128 -h -n test
...
In named.conf I put:
key test. {
algorithm hmac-md5;
secret "AK5nBT0vCFhemCmZ0J1+Yw==";
};
zone "intern"{
type master;
file "intern.zone";
check-names fail;
allow-query { localhost; };
allow-transfer{ key test.; };
};
Now testing with dig:
> dig @localhost intern axfr -k $PWD:test.
; <<>> DiG 8.2 <<>> @localhost intern axfr -k
; (1 server found)
; TSIG ok
$ORIGIN intern.
@ 1D IN SOA @ root (
2000121002 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
; TSIG invalid
1D IN NS localhost.
; TSIG invalid
1D IN A 127.0.0.1
; TSIG invalid
localhost 1H IN A 127.0.0.1
; TSIG invalid
www 1D IN CNAME @
; TSIG invalid
;; ns_initparse: Message too long
;; Received 5 answers (5 records).
;; FROM: ds9 to SERVER: 127.0.0.1
;; WHEN: Tue Dec 26 12:51:51 2000
Now I know how I can make the error messages go away, in named.conf I
put:
server 127.0.0.1 { transfer-format many-answers; };
On a side note: then I get
;; Received 1 answer (6 records).
This is of course correct but the wording tends to confuse me as to what
an answer is: So with transfer-format many-answers the client receives
one answer, yeah right.
But I wonder: Is this a bug in dig? Is TSIG generally incompatible with
"transfer-format one-answer"?
named-xfer doesn't seem to complain with either transfer formats.
To complicate matters I found a post in the archives that seems to
indicate that named-xfer has a problem with
"many-answers".(http://www.isc.org/ml-archives/bind-users/2000/07/msg00513.html)
So should I be worried about proper operation of my name servers when
using TSIG'd zone transfers?
Regards,
--
Alexander Ottl
Media Professionals AG Tel.: +49 (89) 51554-169
Bayerstrasse 21 Fax : +49 (89) 51554-199
D-80335 Muenchen - Germany http://www.media-professionals.de
More information about the bind-users
mailing list