BIND 10 #1357: AXFR and AXFR-like IXFR in needs every message signed
BIND 10 Development
do-not-reply at isc.org
Thu Oct 27 18:11:18 UTC 2011
#1357: AXFR and AXFR-like IXFR in needs every message signed
--------------------------------------+----------------------------------
Reporter: vorner | Owner:
Type: defect | Status: new
Priority: major | Milestone: New Tasks
Component: xfrin | Resolution:
Keywords: | Sensitive: 0
Defect Severity: N/A | Sub-Project: DNS
Feature Depending on Ticket: | Estimated Difficulty: 0
Add Hours to Ticket: 0 | Total Hours: 0
Internal?: 0 |
--------------------------------------+----------------------------------
Comment (by jinmei):
Replying to [ticket:1357 vorner]:
> The protocol allows not signing all of the AXFR messages in a transfer
(first, last and every 100th must be signed). However, if such transfer
comes in, the xfrin components rejects it at the first unsigned message
(_check_response_tsig is called on each message). This makes xfrin
unusable with TSIG with some servers (tested with pre-release version of
Knot).
Wow, interesting. This is the first and only implementation that I
know of that supports the skipped TSIG signing. We've deferred
the support for it because there's no known signer implementation,
but we are (at least I'm) aware that this is a missing feature.
Although probably still low priority, we should eventually address it
by extending the TSIGContext implementatoin (I believe we don't have
to touch xfrin itself).
--
Ticket URL: <https://bind10.isc.org/ticket/1357#comment:1>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development
More information about the bind10-tickets
mailing list