dig warns that some TSIG could not be validated
Anand Buddhdev
anandb at ripe.net
Fri Apr 6 12:05:39 UTC 2018
On 06/04/2018 12:38, Tony Finch wrote:
Hi Tony,
> There is a weird bit in the TSIG spec, RFC 2845:
>
> 4.4. TSIG on TCP connection
>
> A DNS TCP session can include multiple DNS envelopes. This is, for
> example, commonly used by zone transfer. Using TSIG on such a
> connection can protect the connection from hijacking and provide data
> integrity. The TSIG MUST be included on the first and last DNS
> envelopes. It can be optionally placed on any intermediary
> envelopes. It is expensive to include it on every envelopes, but it
> MUST be placed on at least every 100'th envelope.
>
> I haven't looked at BIND's handling of TSIG for AXFR in detail, so I
> don't know how it handles this case, but it is the kind of tricky area
> where interop bugs lurk. I haven't looked at Secure64 at all so who knows
> what it does :-)
I think this is exactly it. Secure64's signer is based on NSD, and it
doesn't sign every message in a TCP AXFR.
Thank you for your detailed reply. It seems the warning is nothing to
worry about :)
Regards,
Anand
More information about the bind-users
mailing list