Skip to content

TLS notifies do not work

Summary

Explicitly configured TLS notifies do not use TLS

BIND version affected

9.20.0

Steps to reproduce

  1. Use a TLS block like with remote-hostname and ca.
  2. Define a zone with explicit TLS notify (config given below).
  3. Do something that causes a serial bump, necessitating a notify

What is the current bug behavior?

No NOTIFY is sent. Apparently, this is a UDP and a plain-text TCP connection attempt, despite configured TLS (cf log)

This is irrelevant of having mutual or opportunistic TLS configured.

What is the expected correct behavior?

That BIND uses TLS to try to send the NOTIFY message.

Relevant configuration files

TLS block on catalog-primary:

tls catalog-secondary {
    ca-file "/certificates/ca.crt";
    remote-hostname "secondary.catalog.test";
    protocols { TLSv1.3; };
};

Zone on catalog-primary:

zone "data.test." {
    type primary;
    file "/var/lib/bind/data.test";
    also-notify { 192.168.23.3 port 854 tls catalog-secondary; };
    notify explicit;
}

Receiving end:

options {
	listen-on port 853 tls catalog-secondary { 192.168.23.3; };
	listen-on port 854 tls catalog-secondary-opportunistic { 192.168.23.3; };
};

tls catalog-secondary {
	ca-file "/certificates/ca.crt";
	cert-file "/certificates/secondary.catalog.test.crt";
	key-file "/certificates/secondary.catalog.test.key";
	protocols { TLSv1.3; };
};

tls catalog-secondary-opportunistic {
	cert-file "/certificates/secondary.catalog.test.crt";
	key-file "/certificates/secondary.catalog.test.key";
	protocols { TLSv1.3; };
};

Relevant logs

catalog-primary-1    | 01-Aug-2024 13:37:29.835 client @0x7517954fb000 192.168.23.1#38759/key update (update-counter.data.test): query: update-counter.data.test IN SOA -ST (192.168.23.2)
catalog-primary-1    | 01-Aug-2024 13:37:29.841 client @0x75179a9ed000 192.168.23.1#42311/key update: signer "update" approved
catalog-primary-1    | 01-Aug-2024 13:37:29.841 client @0x75179a9ed000 192.168.23.1#42311/key update: updating zone 'data.test/IN': adding an RR at 'update-counter.data.test' TXT "6"
catalog-primary-1    | 01-Aug-2024 13:37:29.845 zone data.test/IN: got TLS configuration for zone transfer
catalog-primary-1    | 01-Aug-2024 13:37:29.845 zone data.test/IN: sending notifies (serial 2024070108)
catalog-primary-1    | 01-Aug-2024 13:37:29.848 zone data.test/IN: sending notify to 192.168.23.3#854
catalog-primary-1    | 01-Aug-2024 13:37:29.848 zone data.test/IN: notify to 192.168.23.3#854 failed: end of file: retrying over TCP
catalog-primary-1    | 01-Aug-2024 13:37:29.848 zone data.test/IN: sending notify to 192.168.23.3#854
catalog-primary-1    | 01-Aug-2024 13:37:29.848 zone data.test/IN: notify to 192.168.23.3#854 failed: end of file

catalog-secondary does not produce any logs here.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information