Re: Workaround needed for TSIG Zone Transfer

Fri, 09 Jun 2023 15:52:01 -0700 

There is no workaround that I can think of.

As an aside I’d be specifying the key in the primaries clause rather than 
server clause. 
-- 
Mark Andrews

> On 10 Jun 2023, at 07:52, Frey, Rick E via bind-users 
> <bind-users@lists.isc.org> wrote:
> 
> 
> I’ve got a case where using BIND (v9.16.41) as a secondary to a third party 
> (commercial) primary nameserver.  Using TSIG for the zone transfers.  Have 
> verified zone transfers and TSIG key using dig between hosts.  BIND is 
> configured to use TSIG for the primary server using server x.x.x.x { keys 
> “somekey”; } directive.
>  
> Problem is that the primary server does not sign the response with TSIG for 
> the SOA query sent by BIND to determine if update is needed.   Since response 
> to SOA query is not signed, BIND considers response invalid:
> 
> Sample log message when SOA not signed:
> zone some-domain.com/IN: refresh: failure trying master x.x.x.x#53 (source 
> 0.0.0.0#0): expected a TSIG or SIG(0)
>  
> I know that BIND is not at fault and the primary server is breaking RFC8945 
> as any query with TSIG is required to return a TSIG RR in the response.  
> Working w/ vendor of the primary nameserver to resolve.  The vendor is a 
> pretty widely used provider so I’m a bit surprised issue has not occurred 
> before now.
>  
> Mainly wondering if there is any workaround available to allow BIND to either 
> not send TSIG in SOA query to the primary server (but still use TSIG for zone 
> transfer) or accept the SOA response w/o TSIG RR.  I was unable to find any 
> means to configure this behavior in reading through BIND documentation.
>  
> Rick
>  
> This email message and any attachments are for the sole use of the intended 
> recipient(s). Any unauthorized review, use, disclosure or distribution is 
> prohibited. If you are not the intended recipient, please contact the sender 
> by reply email and destroy all copies of the original message and any 
> attachments. 
> Sensitivity: Internal
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to