On 06/04/2018 12:38, Tony Finch wrote:

Hi Tony,

> There is a weird bit in the TSIG spec, RFC 2845:
> 
>    4.4. TSIG on TCP connection
> 
>    A DNS TCP session can include multiple DNS envelopes.  This is, for
>    example, commonly used by zone transfer.  Using TSIG on such a
>    connection can protect the connection from hijacking and provide data
>    integrity.  The TSIG MUST be included on the first and last DNS
>    envelopes.  It can be optionally placed on any intermediary
>    envelopes.  It is expensive to include it on every envelopes, but it
>    MUST be placed on at least every 100'th envelope.
> 
> I haven't looked at BIND's handling of TSIG for AXFR in detail, so I
> don't know how it handles this case, but it is the kind of tricky area
> where interop bugs lurk. I haven't looked at Secure64 at all so who knows
> what it does :-)

I think this is exactly it. Secure64's signer is based on NSD, and it
doesn't sign every message in a TCP AXFR.

Thank you for your detailed reply. It seems the warning is nothing to
worry about :)

Regards,
Anand
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to