dig axfr and TSIG

Alexander Ottl aottl at mpmail.net
Tue Dec 26 15:04:12 UTC 2000 

Dear Group,

When I started testing TSIG validated zone transfers between my name
servers I noticed that dig has a problem with this under certain
conditions. I did some tests with a dummy domain named "intern" and a
key named "test."
Software version is BIND 8.2.2P7 on SuSE Linux 6.3 and 6.4

dnskeygen -H 128 -h -n test
...
In named.conf I put:

key test. {
        algorithm hmac-md5;
        secret "AK5nBT0vCFhemCmZ0J1+Yw==";
};

zone "intern"{
        type master;
        file "intern.zone";
        check-names fail;
        allow-query { localhost; };
        allow-transfer{ key test.; };
};               

Now testing with dig:
 > dig @localhost intern axfr -k $PWD:test.
 
; <<>> DiG 8.2 <<>> @localhost intern axfr -k
; (1 server found)
; TSIG ok
$ORIGIN intern.
@                       1D IN SOA       @ root (
                                        2000121002      ; serial
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum
 
; TSIG invalid
                        1D IN NS        localhost.
; TSIG invalid
                        1D IN A         127.0.0.1
; TSIG invalid
localhost               1H IN A         127.0.0.1
; TSIG invalid
www                     1D IN CNAME     @
; TSIG invalid
;; ns_initparse: Message too long
;; Received 5 answers (5 records).
;; FROM: ds9 to SERVER: 127.0.0.1
;; WHEN: Tue Dec 26 12:51:51 2000

Now I know how I can make the error messages go away, in named.conf I
put:

server 127.0.0.1 { transfer-format many-answers; };

On a side note: then I get
;; Received 1 answer (6 records).
This is of course correct but the wording tends to confuse me as to what
an answer is: So with transfer-format many-answers the client receives
one answer, yeah right.

But I wonder: Is this a bug in dig? Is TSIG generally incompatible with
"transfer-format one-answer"?
named-xfer doesn't seem to complain with either transfer formats.
To complicate matters I found a post in the archives that seems to
indicate that named-xfer has a problem with
"many-answers".(http://www.isc.org/ml-archives/bind-users/2000/07/msg00513.html)

So should I be worried about proper operation of my name servers when
using TSIG'd zone transfers? 

Regards,
-- 
Alexander Ottl
Media Professionals AG           Tel.: +49 (89) 51554-169
Bayerstrasse 21                  Fax : +49 (89) 51554-199
D-80335 Muenchen - Germany       http://www.media-professionals.de

More information about the bind-users mailing list