Skip to content

TSIG for Zone Transfers #1334

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 84 commits into
base: master
Choose a base branch
from
Open

TSIG for Zone Transfers #1334

wants to merge 84 commits into from

Conversation

@wcawijngaards
Copy link
Member

@wcawijngaards wcawijngaards commented Sep 12, 2025

This adds TSIG for zone transfers. For auth-zones and RPZ zones, the AXFR and IXFR can be with TSIG.

TSIG keys are configured as a tsig-key: entry with name: <key name> and algorithm: <algorithm name> and secret: <base64 blob>.

The auth-zone: can have primary-tsig: <addr or name> <TSIG key name> and allow-notify-tsig: <addr or name or netblock> <TSIG key name>. Also an rpz: can have primary-tsig and allow-notify-tsig. If the notify is set to use TSIG, then unbound has to receive the notify signed with that TSIG key to process it, it is refused otherwise. The primary is contacted, for SOA probe and for AXFR and for IXFR, with the TSIG for the zone transfer.

This conforms with RFC2845 and RFC8945. The unit test has the digests match TSIG digests from NSD and dig.

@wcawijngaards
- xfr-tsig, create util/tsig.c and util/tsig.h.
e6573fc
@wcawijngaards
- xfr-tsig, import the tsig verify code from hackathon/poisonlicious …
7edc1e0 
…branch.
@wcawijngaards
Merge branch 'master' into xfr-tsig
8fcc4c9
@wcawijngaards
- xfr-tsig, constant time memcmp is used.
ea09730
@wcawijngaards
- xfr-tsig, update header comment.
4fd0d84
@wcawijngaards
- xfr-tsig, const for dname compare and fix warnings in compile.
eefb417
@wcawijngaards
- xfr-tsig, fix warning in compile of declaration.
182e580
@wcawijngaards
- xfr-tsig, check buffer remaining in tsig verify.
19492da
@wcawijngaards
Merge branch 'master' into xfr-tsig
4ca37bc
@wcawijngaards
- xfr-tsig, check rdata length in tsig verify.
3f378c9
@wcawijngaards
- xfr-tsig, key table.
3d9242b
@wcawijngaards
- xfr-tsig, algorithm table.
364edcc
@wcawijngaards
- xfr-tsig, fix algorithm lookup.
0f02479
@wcawijngaards
- xfr-tsig, tsig-key, with name, algorithm and secret options.
8811bd4
@wcawijngaards
- xfr-tsig, man page and example config.
31e8118
@wcawijngaards
- xfr-tsig, tsig_verify return failure comment improved.
497161f
@wcawijngaards
Merge branch 'master' into xfr-tsig
bbcf5d1
@wcawijngaards
- xfr-tsig, tsig_create and tsig_delete.
6935429
@wcawijngaards
Merge branch 'master' into xfr-tsig
bb4ddab
@wcawijngaards
- xfr-tsig, tsig functions.
8b95785
@wcawijngaards
- xfr-tsig, tsig_sign_query.
dd4ee42
@wcawijngaards
- xfr-tsig, tsig test.
4bbb74d
@wcawijngaards
- xfr-tsig, test buffer size.
aa22fd9
@wcawijngaards
- xfr-tsig, unit test for tsig_sign_query.
f2c609b
@wcawijngaards
Merge branch 'master' into xfr-tsig
5214912
@wcawijngaards
- xfr-tsig, unit tests for md5, sha1, sha224, sha256, sha384 and sha512.
29c8b3e
@wcawijngaards
Merge branch 'master' into xfr-tsig
418ef37
@wcawijngaards
- xfr-tsig, whitespace.
4562cd3
@wcawijngaards
- xfr-tsig, other data content matches the other len when written.
0afbb68
@wcawijngaards
- xfr-tsig, parse and verify query tsig.
fe63b25
@wcawijngaards
Merge branch 'master' into xfr-tsig
54175a4
@wcawijngaards
- xfr-tsig, tsig_get_mem function.
da72734
@wcawijngaards
- xfr-tsig, log rcode for received notifies.
af1d430
@wcawijngaards
- xfr-tsig, add test case with AXFR packet with TSIG.
7085815
@wcawijngaards
Merge branch 'master' into xfr-tsig
4a3a4f4
@wcawijngaards
- xfr-tsig, tsig_parse_verify_reply_xfr and tsig_sign_reply_xfr.
5c79fd9
@wcawijngaards
Merge branch 'master' into xfr-tsig
4a2dc1d
@wcawijngaards
- xfr-tsig, unit test tsig-sign-reply-xfr implementation.
e2efd17
@wcawijngaards
- xfr-tsig, fix algorithm name write in xfr reply tsig and unit test
e3c1981 
  that works with output that works with dig and NSD.
@wcawijngaards
Merge branch 'master' into xfr-tsig
cacdfee
@wcawijngaards
- xfr-tsig, unit test for tsig-verify-reply-xfr, with output that works
aea2a82 
  with dig and NSD.
@wcawijngaards
- xfr-tsig, unit test to verify tsig every couple packets.
156846e
@wcawijngaards
- xfr-tsig, unit test with another trace of tsig every couple packets.
7b59014
@wcawijngaards
- xfr-tsig, unit test for tsig sign every couple packets, and verify …
63aa70a 
…that.
@wcawijngaards
- xfr-tsig, use tsig_parse_verify_reply_xfr for zone transfers with T…
bebd6c0 
…SIG.
@wcawijngaards
- xfr-tsig, fix notify tsig answer, fix parse edns allows TSIG,
64e102a 
  unit test for auth zone with notify with tsig and notify answer with tsig.
@wcawijngaards
- xfr-tsig, unit test use to make tsig for rpl.
dfac72e
@wcawijngaards
Merge branch 'master' into xfr-tsig
f9713f9
@wcawijngaards
- xfr-tsig, add tdir test that performs tsig signed zone transfer.
b451cc4
@wcawijngaards
- xfr-tsig, remove rpl unit test.
c904a3d
@wcawijngaards
- xfr-tsig, log TSIG key name with zone and notify information. Clear…
f0268d3 
… tsig

  data before making a new one.
@wcawijngaards
- xfr-tsig, fast reload support for tsig keys.
1ae8be6
@wcawijngaards
- xfr-tsig, unit test shows zonefile that is created.
a23c534
@wcawijngaards wcawijngaards self-assigned this Sep 12, 2025
@wcawijngaards wcawijngaards moved this to Review In Progress in TSIG for Zone Transfers Sep 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gthess gthess Awaiting requested review from gthess

Assignees

@wcawijngaards wcawijngaards

Labels

None yet

Projects

TSIG for Zone Transfers
Status: Review In Progress

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wcawijngaards