On Fri, Apr 06, 2018 at 02:05:39PM +0200, Anand Buddhdev wrote: > On 06/04/2018 12:38, Tony Finch wrote: > > Hi Tony, > > > There is a weird bit in the TSIG spec, RFC 2845: > > > > 4.4. TSIG on TCP connection > > > > A DNS TCP session can include multiple DNS envelopes. This is, for > > example, commonly used by zone transfer. Using TSIG on such a > > connection can protect the connection from hijacking and provide data > > integrity. The TSIG MUST be included on the first and last DNS > > envelopes. It can be optionally placed on any intermediary > > envelopes. It is expensive to include it on every envelopes, but it > > MUST be placed on at least every 100'th envelope. > > > > I haven't looked at BIND's handling of TSIG for AXFR in detail, so I > > don't know how it handles this case, but it is the kind of tricky area > > where interop bugs lurk. I haven't looked at Secure64 at all so who knows > > what it does :-) > > I think this is exactly it. Secure64's signer is based on NSD, and it > doesn't sign every message in a TCP AXFR.
That is valid and BIND (dig included) doesn't warn about it. The fact that you're seeing a warning from dig means that something is BAD. It should be investigated. It basically means that signature verification for a sequence of messages failed. Please check if your BIND has change 4643 which, when fixing a TSIG vulnerability, introduced a short-lived bug that was fixed by change 4647. Mukund _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users