Master to Slave zone transfers using tsig are failing when blackhole option is used
Summary
When slave is configured with "blackhole {none;};" global option, the zone transfers are failing.
BIND version used
BIND 9.18.0 (Stable Release) <id:8db45af>
running on Linux x86_64 5.15.10-1.el7.elrepo.x86_64 #1 SMP Fri Dec 17 08:57:16 EST 2021
built by make with '--prefix=/opt/vijay' '--enable-dependency-tracking' '--enable-dnstap' '--enable-singletrace' '--enable-querytrace' '--disable-auto-validation' '--enable-dnsrps-dl' '--enable-dnsrps' '--enable-full-report' '--with-tuning=large' '--enable-fixed-rrset' '--with-libidn2' '--with-lmdb' '--with-json-c' '--with-jemalloc=detect' '--with-maxminddb=yes' '--enable-largefile' '--enable-threads'
compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-44)
compiled with OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
compiled with libuv version: 1.43.0
linked to libuv version: 1.43.0
compiled with libnghttp2 version: 1.33.0
linked to libnghttp2 version: 1.33.0
compiled with json-c version: 0.11
linked to json-c version: 0.11
compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
linked to maxminddb version: 1.2.0
compiled with protobuf-c version: 1.0.2
linked to protobuf-c version: 1.0.2
threads support is enabled
Steps to reproduce
Use "blackhole {none;};" global option on the slave and check if "HMAC-SHA512" TSIG key based AXFRs are happening between the master and slave.
What is the current bug behavior?
Logs indicate that the master server IP address is being blackholed and hence(?) the transfers are failing.
Relavant configs
Master
key "COMMUNICATION-KEY" {
algorithm "HMAC-SHA512";
secret "????????????????????????????????????????????????????????????????????????????????????????";
};
server 10.1.8.249/32 {
keys "COMMUNICATION-KEY";
provide-ixfr yes;
request-ixfr yes;
};
zone "testslave.com" IN {
type master;
check-names ignore;
file "/var/named/zones/masters/db.testslave.com";
allow-transfer {
10.1.8.249/32;
10.1.8.250/32;
};
also-notify {
10.1.8.249;
10.1.8.250;
};
notify explicit;
zone-statistics yes;
};
Slave:
key "COMMUNICATION-KEY" {
algorithm "HMAC-SHA512";
secret "????????????????????????????????????????????????????????????????????????????????????????";
};
server 10.1.8.243/32 {
keys "COMMUNICATION-KEY";
provide-ixfr yes;
request-ixfr yes;
};
zone "testslave.com" IN {
type slave;
check-names ignore;
file "/var/named/zones/slaves/db.testslave.com";
masters {
10.1.8.243;
};
allow-notify {
10.1.8.243/32;
};
notify explicit;
zone-statistics yes;
};
Relavant Logs
08-Mar-2022 06:42:17.005 general: debug 1: soa_query: zone testslave.com/IN: enter
08-Mar-2022 06:42:17.005 general: debug 3: dns_request_createvia
08-Mar-2022 06:42:17.005 general: debug 1: soa_query: zone testslave.com/IN: dns_request_createvia() failed: address blackholed
08-Mar-2022 06:42:17.005 general: debug 1: cancel_refresh: zone testslave.com/IN: enter
08-Mar-2022 06:42:17.005 general: debug 1: zone_settimer: zone testslave.com/IN: enter