Hi list
Running a primary and a secondary with each BIND-9.18.9 and using
catalog zones.
I'm trying to use XoT for the catalog-zones. The catalog zone itself is
transferred over XoT without any issues, but the zones *within* the
catalog-zone aren't transferred succesfully.
On the primary, I configured a "listen-on"-directive for TLS:
tls "xot" {
cert-file "/etc/named/tls/tls.pem";
key-file "/etc/named/tls/tls.key";
protocols { TLSv1.2; };
session-tickets yes;
};
options {
...
listen-on port 853 tls "xot" { 192.168.1.1; };
};
On the secondary, I configured a tls profile too:
tls "xot" {
protocols { TLSv1.2; };
session-tickets yes;
};
and the necessary catalog-zones configuration:
...
catalog-zones {
zone "catz.example.local"
in-memory no
zone-directory "/var/named/slave/catzones"
min-update-interval 5
default-primaries { 192.168.1.1 port 853 tls "xot"; };
};
...
What I see here, is that the secondary tries to transfer the zones
(which are declared in the catalog-zone) from the primary with UDP-853
and does nothing with TLS (and just one thing with TCP, see below).
The secondary gives up trying with UDP-853 (6x) and tries to connect
with TCP (but no TLS) one time and shows then the following error:
09-Jan-2023 15:57:49.787 general: info: zone example.ch/IN: refresh:
retry limit for primary 192.168.1.1#853 exceeded (source 0.0.0.0#0)
09-Jan-2023 15:57:49.787 xfer-in: info: zone example.ch/IN: Transfer
started.
09-Jan-2023 15:57:49.788 xfer-in: info: transfer of 'example.ch/IN' from
192.168.1.1#853: connected using 192.168.1.1#853 TSIG testkey
09-Jan-2023 15:57:49.788 xfer-in: error: transfer of 'example.ch/IN'
from 192.168.1.1#853: failed while receiving responses: end of file
09-Jan-2023 15:57:49.788 xfer-in: info: transfer of 'example.ch/IN' from
192.168.1.1#853: Transfer status: end of file
09-Jan-2023 15:57:49.788 xfer-in: info: transfer of 'example.ch/IN' from
192.168.1.1#853: Transfer completed: 0 messages, 0 records, 0 bytes,
0.001 secs (0 bytes/sec) (serial 0)
The appropriate tcpdump looks like this where 192.168.1.2 is the
secondary and 192.168.1.1 is the primary:
15:56:19.719792 IP 192.168.1.2.45333 > 192.168.1.1.853: UDP, length 159
15:56:34.735035 IP 192.168.1.2.45333 > 192.168.1.1.853: UDP, length 159
15:56:49.741560 IP 192.168.1.2.45333 > 192.168.1.1.853: UDP, length 159
15:57:04.757216 IP 192.168.1.2.31594 > 192.168.1.1.853: UDP, length 144
15:57:19.757964 IP 192.168.1.2.31594 > 192.168.1.1.853: UDP, length 144
15:57:34.773366 IP 192.168.1.2.31594 > 192.168.1.1.853: UDP, length 144
15:57:49.789218 IP 192.168.1.2.37670 > 192.168.1.1.853: Flags [S], seq
1845821283, win 24400, options [mss 1220,nop,nop,sackOK,nop,wscale 7],
length 0
15:57:49.789457 IP 192.168.1.1.853 > 192.168.1.2.37670: Flags [S.], seq
385431624, ack 1845821284, win 24400, options [mss
1220,nop,nop,sackOK,nop,wscale 7], length 0
15:57:49.789503 IP 192.168.1.2.37670 > 192.168.1.1.853: Flags [.], ack
1, win 191, length 0
15:57:49.789745 IP 192.168.1.2.37670 > 192.168.1.1.853: Flags [P.], seq
1:147, ack 1, win 191, length 146
15:57:49.789816 IP 192.168.1.1.853 > 192.168.1.2.37670: Flags [.], ack
147, win 199, length 0
15:57:49.790013 IP 192.168.1.1.853 > 192.168.1.2.37670: Flags [F.], seq
1, ack 147, win 199, length 0
15:57:49.790070 IP 192.168.1.2.37670 > 192.168.1.1.853: Flags [F.], seq
147, ack 2, win 191, length 0
15:57:49.790134 IP 192.168.1.1.853 > 192.168.1.2.37670: Flags [.], ack
148, win 199, length 0
Any hints how I need to configure the "default-primaries"-option in the
"catalog-zones"-directive to properly "speak" XoT?
btw: Using dig for transferring the zone from the primary with XoT and
TSIG is working fine:
$ dig @192.168.1.1 -k /tmp/key +tls +onesoa axfr example.ch
Many thanks in advance,
Tom
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
