Is there an incompatibility between 9.16.37/9.18.11 and 9.9 when doing HMAC-MD5 AXFR?

Tue Feb 21 16:05:30 UTC 2023

Hi all

Due to circumstances beyond my control a remote partner needs to use a 9.9.9 version of bind and we are required to use HMAC-MD5 for zone transfers. There is no (big) security concern since the networks are isolated and not exposed to the larger Internet.

When the secondary requests an AXFR I see:
client @0xxxxxxxxxxxxx nnn.nnn.nnn.nnn#xxxxxx: request has invalid signature: TSIG <KEY>: tsig verify failure (BADSIG)

Doing a dig directly (with the same key) I get the zone:
client @0xxxxxxxxxxxxx nnn.nnn.nnn.nnn#xxxxxx /key <KEY> (zone.tld): transfer of 'zone.tld/IN': AXFR started: TSIG <KEY> (serial nnnn)

Is there any known incompatibilities - preferably with workarounds :) - that anyone knows about?

I apologize in advance if the info is lacking but here are, what I consider, the relevant parts from named.conf:

key "<KEY>." {
        algorithm hmac-md5;
        secret "XXXXXXXXXXXXXXXXXXXXXX";
};

acl servers {
        nnn.nnn.nnn.nnn;
        nnn.nnn.nnn.nnn;
        nnn.nnn.nnn.nnn;
};

acl transfer {
        !servers;
        !localhost;
        !nnn.nnn.nnn.nnn;
        any;
};

zone "zone.tld." IN {
        type master;
        file "/etc/bind/zones/zone.file";
        allow-transfer { !transfer; key <KEY>.; };
};

Again - sorry if this is insufficient information.
It could be as simple as the remote not having everything in order but they swear up and down that they have checked, doublechecked and enlisted multiple persons in doing the checks.

I would appreciate any and all hints even if they are farfetched.

Best Regards
Patrik Graeser
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230221/ce91cfba/attachment-0001.htm>