-
Type: Bug
-
Status: Open
-
Priority: Minor
-
Resolution: Unresolved
-
Affects Version/s: 2.1.8
-
Fix Version/s: None
-
Component/s: None
-
Labels:None
-
Environment:
NetBSD/amd64 10.0_BETA
Trying to use BIND 9.18.10 as a downstream name server of OpenDNSSEC does not work, and results in these log messages from BIND:
Jan 21 16:42:05 new-sns named[3922]: transfer of '4.5.7.0.0.7.7.4.nrenum.net/IN'
from 158.38.3.18#53: failed while receiving responses: not exact
Jan 21 16:43:59 new-sns named[3922]: transfer of '231.39.128.in-addr.arpa/IN' fr
om 158.38.3.18#53: failed while receiving responses: not exact
etc. etc. Downgrading BIND to 9.16.36 makes this work, so this is apparently a new consistency check introduced in the new version.
Looking at what comes out of a "dig @... axfr" from OpenDNSSEC and feeding the result to BIND's "named-checkzone" reveals that there are two TSIG records supplied (the TSIG record used to support the zone transfer) and the presence of those two TSIG records caused the BIND 9.18.10-based named-checkzone indigestion, refusing to validate the zone. I am however uncertain whether this is the root cause of the "not exact" error message BIND 9.18.10 spews when doing the zone transfer from OpenDNSSEC.