Workaround needed for TSIG Zone Transfer

Ondřej Surý ondrej at isc.org
Sat Jun 10 04:27:59 UTC 2023 

Hi Rick,

even while I should be destroying message (Sensitivity: Internal.) message, I am rather going to respond…

Our colleague Tony Finch written nsnotifyd: https://dotat.at/prog/nsnotifyd/

Run this somewhere close to the proprietary server and configure it to send valid notifies to named. Then configure the non conformant proprietary server to send notifies to nsnotifyd.

My recommendation would be still to save money by replacing the broken proprietary stuff with the open source.

Alternatively, perhaps the server can send notifies from a different IP address than the address of the primary NS? You might be able to configure different ACLs for the allow-notify block and don’t couple the notify-IP with any TSIG key.

Ondřej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 9. 6. 2023, at 23:52, Frey, Rick E via bind-users <bind-users at lists.isc.org> wrote:
> 
> 
> I’ve got a case where using BIND (v9.16.41) as a secondary to a third party (commercial) primary nameserver.  Using TSIG for the zone transfers.  Have verified zone transfers and TSIG key using dig between hosts.  BIND is configured to use TSIG for the primary server using server x.x.x.x { keys “somekey”; } directive.
>  
> Problem is that the primary server does not sign the response with TSIG for the SOA query sent by BIND to determine if update is needed.   Since response to SOA query is not signed, BIND considers response invalid:
> 
> Sample log message when SOA not signed:
> zone some-domain.com/IN: refresh: failure trying master x.x.x.x#53 (source 0.0.0.0#0): expected a TSIG or SIG(0)
>  
> I know that BIND is not at fault and the primary server is breaking RFC8945 as any query with TSIG is required to return a TSIG RR in the response.  Working w/ vendor of the primary nameserver to resolve.  The vendor is a pretty widely used provider so I’m a bit surprised issue has not occurred before now.
>  
> Mainly wondering if there is any workaround available to allow BIND to either not send TSIG in SOA query to the primary server (but still use TSIG for zone transfer) or accept the SOA response w/o TSIG RR.  I was unable to find any means to configure this behavior in reading through BIND documentation.
>  
> Rick
>  
> This email message and any attachments are for the sole use of the intended recipient(s). Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments.
> Sensitivity: Internal
> 
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230610/a2669f46/attachment.htm>

More information about the bind-users mailing list