TSIG & notify's question
Kevin Darcy
kcd at daimlerchrysler.com
Wed Nov 13 16:02:33 UTC 2002
Doug Barton wrote:
> I've obviously not been spending enough time contemplating SIG bugs, so
> this question occurred to me today. I have a fairly standard config:
>
> slave:
> key "slave.master." { blah; };
> server master { keys { "slave.master."; };
>
> master:
> key "slave.master." { blah; };
>
> Now, here is my question. I initially left out the server declarations for
> my slave servers in the master's config because I thought to myself that
> the master doesn't send queries to the slaves, so there is no point.
> However, it dawned on me today that the master _does_ send notify packets
> to the slaves.
>
> Hence my question. Are notify packets signed if the stuff is there?
Yes, with respect to reasonably up-to-date versions of BIND 8 and BIND 9.
> I'm
> guessing no off the bat, and a quick search of ns_notify.c doesn't
> indicate anything tsig'y, but I want to be sure that I'm not missing
> anything.
Speaking specifically of BIND 9.2.2rc1, the TSIG-verification step is
performed before the NOTIFY-specific routines are invoked, see the invocation
of dns_tsig_verify() in the client_request() function in bin/named/client.c.
- Kevin
More information about the bind-users
mailing list