Workaround needed for TSIG Zone Transfer
Frey, Rick E
Rick.Frey at windstream.com
Fri Jun 9 21:52:06 UTC 2023
I’ve got a case where using BIND (v9.16.41) as a secondary to a third party (commercial) primary nameserver. Using TSIG for the zone transfers. Have verified zone transfers and TSIG key using dig between hosts. BIND is configured to use TSIG for the primary server using server x.x.x.x { keys “somekey”; } directive.
Problem is that the primary server does not sign the response with TSIG for the SOA query sent by BIND to determine if update is needed. Since response to SOA query is not signed, BIND considers response invalid:
Sample log message when SOA not signed:
zone some-domain.com/IN: refresh: failure trying master x.x.x.x#53 (source 0.0.0.0#0): expected a TSIG or SIG(0)
I know that BIND is not at fault and the primary server is breaking RFC8945 as any query with TSIG is required to return a TSIG RR in the response. Working w/ vendor of the primary nameserver to resolve. The vendor is a pretty widely used provider so I’m a bit surprised issue has not occurred before now.
Mainly wondering if there is any workaround available to allow BIND to either not send TSIG in SOA query to the primary server (but still use TSIG for zone transfer) or accept the SOA response w/o TSIG RR. I was unable to find any means to configure this behavior in reading through BIND documentation.
* Rick
This email message and any attachments are for the sole use of the intended recipient(s). Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments.
Sensitivity: Internal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230609/f0af8aa2/attachment-0001.htm>
More information about the bind-users
mailing list