Zones declared in a catalog-zone are not transferred successfully over XoT

Mon Jan 9 15:24:22 UTC 2023

Hi list

Running a primary and a secondary with each BIND-9.18.9 and using 
catalog zones.

I'm trying to use XoT for the catalog-zones. The catalog zone itself is 
transferred over XoT without any issues, but the zones *within* the 
catalog-zone aren't transferred succesfully.

On the primary, I configured a "listen-on"-directive for TLS:
tls "xot" {
         cert-file "/etc/named/tls/tls.pem";
         key-file "/etc/named/tls/tls.key";
         protocols { TLSv1.2; };
         session-tickets yes;
};

options {
...
     listen-on port 853 tls "xot" { 192.168.1.1; };
};

On the secondary, I configured a tls profile too:
tls "xot" {
         protocols { TLSv1.2; };
         session-tickets yes;
};

and the necessary catalog-zones configuration:
...

         catalog-zones {
                 zone "catz.example.local"
                 in-memory no
                 zone-directory "/var/named/slave/catzones"
                 min-update-interval 5
                 default-primaries { 192.168.1.1 port 853 tls "xot"; };
         };
...

What I see here, is that the secondary tries to transfer the zones 
(which are declared in the catalog-zone) from the primary with UDP-853 
and does nothing with TLS (and just one thing with TCP, see below).

The secondary gives up trying with UDP-853 (6x) and tries to connect 
with TCP (but no TLS) one time and shows then the following error:
09-Jan-2023 15:57:49.787 general: info: zone example.ch/IN: refresh: 
retry limit for primary 192.168.1.1#853 exceeded (source 0.0.0.0#0)
09-Jan-2023 15:57:49.787 xfer-in: info: zone example.ch/IN: Transfer 
started.
09-Jan-2023 15:57:49.788 xfer-in: info: transfer of 'example.ch/IN' from 
192.168.1.1#853: connected using 192.168.1.1#853 TSIG testkey
09-Jan-2023 15:57:49.788 xfer-in: error: transfer of 'example.ch/IN' 
from 192.168.1.1#853: failed while receiving responses: end of file
09-Jan-2023 15:57:49.788 xfer-in: info: transfer of 'example.ch/IN' from 
192.168.1.1#853: Transfer status: end of file
09-Jan-2023 15:57:49.788 xfer-in: info: transfer of 'example.ch/IN' from 
192.168.1.1#853: Transfer completed: 0 messages, 0 records, 0 bytes, 
0.001 secs (0 bytes/sec) (serial 0)

The appropriate tcpdump looks like this where 192.168.1.2 is the 
secondary and 192.168.1.1 is the primary:
15:56:19.719792 IP 192.168.1.2.45333 > 192.168.1.1.853: UDP, length 159
15:56:34.735035 IP 192.168.1.2.45333 > 192.168.1.1.853: UDP, length 159
15:56:49.741560 IP 192.168.1.2.45333 > 192.168.1.1.853: UDP, length 159
15:57:04.757216 IP 192.168.1.2.31594 > 192.168.1.1.853: UDP, length 144
15:57:19.757964 IP 192.168.1.2.31594 > 192.168.1.1.853: UDP, length 144
15:57:34.773366 IP 192.168.1.2.31594 > 192.168.1.1.853: UDP, length 144
15:57:49.789218 IP 192.168.1.2.37670 > 192.168.1.1.853: Flags [S], seq 
1845821283, win 24400, options [mss 1220,nop,nop,sackOK,nop,wscale 7], 
length 0
15:57:49.789457 IP 192.168.1.1.853 > 192.168.1.2.37670: Flags [S.], seq 
385431624, ack 1845821284, win 24400, options [mss 
1220,nop,nop,sackOK,nop,wscale 7], length 0
15:57:49.789503 IP 192.168.1.2.37670 > 192.168.1.1.853: Flags [.], ack 
1, win 191, length 0
15:57:49.789745 IP 192.168.1.2.37670 > 192.168.1.1.853: Flags [P.], seq 
1:147, ack 1, win 191, length 146
15:57:49.789816 IP 192.168.1.1.853 > 192.168.1.2.37670: Flags [.], ack 
147, win 199, length 0
15:57:49.790013 IP 192.168.1.1.853 > 192.168.1.2.37670: Flags [F.], seq 
1, ack 147, win 199, length 0
15:57:49.790070 IP 192.168.1.2.37670 > 192.168.1.1.853: Flags [F.], seq 
147, ack 2, win 191, length 0
15:57:49.790134 IP 192.168.1.1.853 > 192.168.1.2.37670: Flags [.], ack 
148, win 199, length 0

Any hints how I need to configure the "default-primaries"-option in the 
"catalog-zones"-directive to properly "speak" XoT?

btw: Using dig for transferring the zone from the primary with XoT and 
TSIG is working fine:
$ dig @192.168.1.1 -k /tmp/key +tls +onesoa axfr example.ch

Many thanks in advance,
Tom