Skip to content

XoT breaks DDNS update forwarding

Summary

When XoT is used in BIND 9.18, allow-update-forwarding { any; } does not forward TSIG signed updates to primary

BIND version used

BIND 9.18.5 (Stable Release) <id:>
running on FreeBSD amd64 12.3-RELEASE-p6 FreeBSD 12.3-RELEASE-p6 GENERIC
built by make with  '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr' '--enable-dnsrps' '--with-readline=libedit' '--enable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-querytrace' '--enable-tcp-fastopen' '--prefix=/usr/local' '--mandir=/usr/local/man' '--disable-silent-rules' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.3' 'build_alias=amd64-portbld-freebsd12.3' 'CC=cc' 'CFLAGS=-O2 -pipe  -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c  -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf' 'PKG_CONFIG_LIBDIR=/wrkdirs/usr/ports/dns/bind918/work/.pkgconfig:/usr/local/libdata/pkgconfig:/usr/libdata/pkgconfig' 'PYTHON=/usr/local/bin/python3.9' 'READLINE_CFLAGS=-L/usr/local/lib'
compiled by CLANG FreeBSD Clang 10.0.1 (git@github.com:llvm/llvm-project.git llvmorg-10.0.1-0-gef32c611aa2)
compiled with OpenSSL version: OpenSSL 1.1.1l-freebsd  24 Aug 2021
linked to OpenSSL version: OpenSSL 1.1.1l-freebsd  24 Aug 2021
compiled with libuv version: 1.42.0
linked to libuv version: 1.42.0
compiled with libnghttp2 version: 1.48.0
linked to libnghttp2 version: 1.48.0
compiled with libxml2 version: 2.9.13
linked to libxml2 version: 20913
compiled with json-c version: 0.16
linked to json-c version: 0.16
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
compiled with protobuf-c version: 1.4.0
linked to protobuf-c version: 1.4.0
threads support is enabled

Steps to reproduce

configure dynamic zone where a client (eg. nsupdate) sends a TSIG signed update to a secondary. The secondary is expected to forward to the primary to validate the TSIG signature

TSIG nsupdate client ---> secondary ---> primary

Install a TSIG key for DDNS updates on the client and primary.

Note the configuration works when Xot is disabled. Enable XoT and note the bug.

What is the current bug behavior?

BIND on the secondary does not forward the DDNS update and logs: client @0xXXXXXXXXX xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx#56633: request has invalid signature: TSIG ddns-key.dynzone.example.com: tsig verify failure (BADKEY)

What is the expected correct behavior?

I expect the same behavior when Xot is disabled. That is to forward the TSIG signed update to the primary.

Relevant configuration files

primaries example.com {
        2001:db8::1 key ns1-ns2.example.com. tls ephemeral;
};

zone "dynzone.example.com" {
        type secondary;
        primaries { example.com; }; 
        allow-update-forwarding { any; };
        file "/var/dns/secondary/dynzone.example.com";
};

Relevant logs and/or screenshots

Secondary logs:

client @0xXXXXXXXXX xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx#56633: request has invalid signature: TSIG ddns-key.dynzone.example.com: tsig verify failure (BADKEY)
Edited by Ben Weeks
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information