tsig zone transfer problem with 8.2.3 and 8.2.5

[Martin Lohner]

To respond to my own email:

I have by now tested with "dig" as the client replaced with "named", and 
there everything behaves as it should. (Not using a key or using the 
wrong key on the client side results in no transfer, as it should!)

And the reason why dig succeeds without a key is because TSIG for 
transfers is for Authentication purposes, NOT Authorization. (Named is 
just being picky when not specifying a key on the client side; it could 
just as well succeed, if it doesn't care about authentication.)

  --Martin


Martin Lohner wrote:
> I've set up tsig for zone transfers between two machines using bind 
> 8.2.3 (and also tried 8.2.5 with same result).
> 
> I use "dig" to do the transfers. It works fine, if I specify the tsig 
> key properly:
> 
> dig @172.24.84.233 martinstest. axfr -k /var/named/tsig:martinstest.
> 
> The disturbing thing happens, when I don't use the key (with dig): the 
> transfer still works. This shouldn't happen.
> 
> I did some further tests to double-check:
> 
> 1) If I make the key between server and client disagree, no transfer.
> 2) If I try from another client ip, no transfer.
> 
> This sounds like a bug: a zone transfer happens without specifying a key 
> by the client, even though the server is setup only for key access.
> 
> I just now tried 8.2.5: same problem.
> 
> My setup (on the server) is given below.
> 
> Thanks much. --martin
> 
> options {
> ...
>         // other options
>         allow-transfer { none; };
> };
> 
> key martinstest. {
>    algorithm hmac-md5;
>    secret "+eqNFRkfkx/Sth0E0hSRtA==";
> };
> 
> server 172.24.85.166 {
>    transfer-format many-answers;
>    keys { martinstest.; };
> };
> 
> zone "martinstest." {
>    file "/tmp/martinstest.zone";
>    type master;
>    allow-transfer { 172.24.85.166; };
>    notify no;
> };