I’ve got a case where using BIND (v9.16.41) as a secondary to a third party
(commercial) primary nameserver. Using TSIG for the zone transfers. Have
verified zone transfers and TSIG key using dig between hosts. BIND is
configured to use TSIG for the primary server using server x.x.x.x { keys
“somekey”; } directive.
Problem is that the primary server does not sign the response with TSIG for the
SOA query sent by BIND to determine if update is needed. Since response to
SOA query is not signed, BIND considers response invalid:
Sample log message when SOA not signed:
zone some-domain.com/IN: refresh: failure trying master x.x.x.x#53 (source
0.0.0.0#0): expected a TSIG or SIG(0)
I know that BIND is not at fault and the primary server is breaking RFC8945 as
any query with TSIG is required to return a TSIG RR in the response. Working
w/ vendor of the primary nameserver to resolve. The vendor is a pretty widely
used provider so I’m a bit surprised issue has not occurred before now.
Mainly wondering if there is any workaround available to allow BIND to either
not send TSIG in SOA query to the primary server (but still use TSIG for zone
transfer) or accept the SOA response w/o TSIG RR. I was unable to find any
means to configure this behavior in reading through BIND documentation.
* Rick
This email message and any attachments are for the sole use of the intended
recipient(s). Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the sender by
reply email and destroy all copies of the original message and any attachments.
Sensitivity: Internal
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
