tsig zone transfer problem with 8.2.3 and 8.2.5
Martin Lohner
mlohner at akamai.com
Thu Oct 11 23:21:23 UTC 2001
To respond to my own email:
I have by now tested with "dig" as the client replaced with "named", and
there everything behaves as it should. (Not using a key or using the
wrong key on the client side results in no transfer, as it should!)
And the reason why dig succeeds without a key is because TSIG for
transfers is for Authentication purposes, NOT Authorization. (Named is
just being picky when not specifying a key on the client side; it could
just as well succeed, if it doesn't care about authentication.)
--Martin
Martin Lohner wrote:
> I've set up tsig for zone transfers between two machines using bind
> 8.2.3 (and also tried 8.2.5 with same result).
>
> I use "dig" to do the transfers. It works fine, if I specify the tsig
> key properly:
>
> dig @172.24.84.233 martinstest. axfr -k /var/named/tsig:martinstest.
>
> The disturbing thing happens, when I don't use the key (with dig): the
> transfer still works. This shouldn't happen.
>
> I did some further tests to double-check:
>
> 1) If I make the key between server and client disagree, no transfer.
> 2) If I try from another client ip, no transfer.
>
> This sounds like a bug: a zone transfer happens without specifying a key
> by the client, even though the server is setup only for key access.
>
> I just now tried 8.2.5: same problem.
>
> My setup (on the server) is given below.
>
> Thanks much. --martin
>
> options {
> ...
> // other options
> allow-transfer { none; };
> };
>
> key martinstest. {
> algorithm hmac-md5;
> secret "+eqNFRkfkx/Sth0E0hSRtA==";
> };
>
> server 172.24.85.166 {
> transfer-format many-answers;
> keys { martinstest.; };
> };
>
> zone "martinstest." {
> file "/tmp/martinstest.zone";
> type master;
> allow-transfer { 172.24.85.166; };
> notify no;
> };
More information about the bind-users
mailing list