Skip to content

TLS error on large XoT's

TLS error on large XoT's:

User successully using TLS to perform zone transfer using BIND 9.18.9 but after upgrading to BIND 9.18.10, with the same configuration, large zone transfers are failing - both AXFR and IXFR:

(redacted)  
AXFR
...  
05-Jan-2023 09:34:13.976 general: info: received control channel command 'retransfer example.com'  
05-Jan-2023 09:34:13.977 xfer-in: info: zone example.com/IN: Transfer started.  
05-Jan-2023 09:34:13.977 xfer-in: info: zone example.com/IN: got TLS configuration for zone transfer: success
05-Jan-2023 09:34:13.982 xfer-in: info: transfer of 'example.com/IN' from 10.0.0.53#853: connected using 10.0.0.53#853 TSIG tsig-example.com
05-Jan-2023 09:34:17.273 xfer-in: error: transfer of 'example.com/IN' from 10.0.0.53#853: failed while receiving responses: TLS error
05-Jan-2023 09:34:17.273 xfer-in: info: transfer of 'example.com/IN' from 10.0.0.53#853: Transfer status: TLS error
05-Jan-2023 09:34:17.273 xfer-in: info: transfer of 'example.com/IN' from 10.0.0.53#853: Transfer completed: 5762 messages, 1603893 records, 52629802 bytes, 3.290 secs (15996900 bytes/sec) (se
rial 2023020500)
05-Jan-2023 09:34:17.555 xfer-in: info: zone example.com/IN: Transfer started.  05-Jan-2023 09:34:17.555 xfer-in: info: zone example.com/IN: got TLS configuration for zone transfer: success
05-Jan-2023 09:34:17.561 xfer-in: info: transfer of 'example.com/IN' from 10.0.0.53#853: connected using 10.0.0.53#853 TSIG tsig-example.com
05-Jan-2023 09:34:20.862 xfer-in: error: transfer of 'example.com/IN' from 10.0.0.53#853: failed while receiving responses: TLS error
05-Jan-2023 09:34:20.862 xfer-in: info: transfer of 'example.com/IN' from 10.0.0.53#853: Transfer status: TLS error
05-Jan-2023 09:34:20.862 xfer-in: info: transfer of 'example.com/IN' from 10.0.0.53#853: Transfer completed: 5762 messages, 1603893 records, 52629802 bytes, 3.300 secs (15948424 bytes/sec) (se
rial 2023020500)
...
IFXR
04-Jan-2023 14:38:14.444 general: info: zone xx/IN: notify from 10.1.81.79#39405: serial 2234001747
04-Jan-2023 14:38:14.444 xfer-in: info: zone xx/IN: Transfer started.
04-Jan-2023 14:38:14.444 xfer-in: info: zone xx/IN: got TLS configuration for zone transfer: success
04-Jan-2023 14:38:14.450 xfer-in: info: transfer of 'xx/IN' from 10.0.0.53#853: connected using 10.0.0.53#853 TSIG tsig-example.com
04-Jan-2023 14:38:14.872 xfer-in: error: transfer of 'xx/IN' from 10.0.0.53#853: failed while receiving responses: TLS error
04-Jan-2023 14:38:14.872 xfer-in: info: transfer of 'xx/IN' from 10.0.0.53#853: Transfer status: IXFR failed
04-Jan-2023 14:38:14.872 xfer-in: info: transfer of 'xx/IN' from 10.0.0.53#853: Transfer completed: 1 messages, 179 records, 18065 bytes, 0.422 secs (42808 bytes/sec) (serial 2234001747)
04-Jan-2023 14:38:14.944 xfer-in: info: zone xx/IN: Transfer started.
04-Jan-2023 14:38:14.944 xfer-in: info: zone xx/IN: got TLS configuration for zone transfer: success
04-Jan-2023 14:38:14.948 xfer-in: info: transfer of 'xx/IN' from 10.0.0.53#853: connected using 10.0.0.53#853 TSIG tsig-example.com
04-Jan-2023 14:38:40.481 xfer-in: error: transfer of 'xx/IN' from 10.0.0.53#853: failed while receiving responses: TLS error
04-Jan-2023 14:38:40.481 xfer-in: info: transfer of 'xx/IN' from 10.0.0.53#853: Transfer status: TLS error
04-Jan-2023 14:38:40.481 xfer-in: info: transfer of 'xx/IN' from 10.0.0.53#853: Transfer completed: 29458 messages, 11583714 records, 367883110 bytes, 25.532 secs (14408707 bytes/sec) (serial
2234001747)
named -V
BIND 9.18.10 (Stable Release) <id:7011eaf>
running on Linux x86_64 4.18.0-425.3.1.el8.x86_64 #1 SMP Fri Sep 30 11:45:06 EDT 2022
built by make with  '--prefix=/opt/bind-versions/bind-9.18.10' 'PKG_CONFIG_PATH=/opt/libuv-versions/libuv-1.44.2/lib/pkgconfig/'
compiled by GCC 8.5.0 20210514 (Red Hat 8.5.0-15)
compiled with OpenSSL version: OpenSSL 1.1.1k  FIPS 25 Mar 2021
linked to OpenSSL version: OpenSSL 1.1.1k  FIPS 25 Mar 2021
compiled with libuv version: 1.44.2
linked to libuv version: 1.44.2
compiled with libnghttp2 version: 1.33.0
linked to libnghttp2 version: 1.33.0
compiled with libxml2 version: 2.9.7
linked to libxml2 version: 20907
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): yes

default paths:
  named configuration:  /opt/bind-versions/bind-9.18.10/etc/named.conf
  rndc configuration:   /opt/bind-versions/bind-9.18.10/etc/rndc.conf
  DNSSEC root key:      /opt/bind-versions/bind-9.18.10/etc/bind.keys
  nsupdate session key: /opt/bind-versions/bind-9.18.10/var/run/named/session.key
  named PID file:       /opt/bind-versions/bind-9.18.10/var/run/named/named.pid
  named lock file:      /opt/bind-versions/bind-9.18.10/var/run/named/named.lock

For further details see RT #21606

Edited by Peter Davies
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information