allow-notify does not take TSIG keys into account ending with "refused notify from non-master" error if rndc notify command comes from non-master machine

Solution Verified - Updated -

Issue

Bind implements the following configuration option (taken from bind doc):

allow-notify

Specifies which hosts are allowed to notify this server, a slave, of zone changes in addition to the zone masters.
allow-notify may also be specified in the zone statement, in which case it overrides the options allow-notify statement.
It is only meaningful for a slave zone.
If not specified, the default is to process notify messages only from a zone's master.

and it can be set to:

    [ allow-notify { address_match_list }; ]

according to documentation Address Match Lists the address_match_list:

address_match_list = address_match_list_element ;
  [ address_match_list_element; ... ]
address_match_list_element = [ ! ] (ip_address [/length] |
   key key_id | acl_name | { address_match_list } )

can be any of the following:

  • an IP address (IPv4 or IPv6)
  • an IP prefix (in `/' notation)
  • a key ID, as defined by the key statement
  • the name of an address match list defined with the acl statement
  • a nested address match list enclosed in braces

but in fact allow-notify {} cannot contain:

  • a key ID, as defined by the key statement

because it isn't implemented in related code, resp. a TSIG key used for rndc authentication doesn't get passed to routine which could check it and only IP addresses and acl address match lists get compared. It means that machines which are not set to be masters for a zone and not mentioned in allow-notify {} clause are not allowed to notify slave to do a zone transfer and the following message appears in logs:

slave named[1779]: client 192.168.122.68#62440: view localhost_resolver: received notify for zone 'example.com'
slave named[1779]: zone example.com/IN/localhost_resolver: refused notify from non-master: 192.168.122.68#62440

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Bind 9

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.