Filter out TSIG records from zone transfer

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Filter out TSIG records from zone transfer

Anand Buddhdev
Hi folks,

When I use "dig" to do a zone transfer, using TSIG, then the resulting
zone is interspersed with TSIG records. Some tools, such as
"dnssec-verify", don't like these records.

Is there any way to tell dig not to print these TSIG records? Currently,
I pass the zone through an awk script to filter out these records, but
it would be nice if I could tell dig itself to suppress them.

Regards,
Anand Buddhdev
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Filter out TSIG records from zone transfer

Stuart@registry.godaddy
I usually just GREP them out.

dig -k .... axfr zone @remotehost | grep -v 'ANY[[:space:]]TSIG[[:space:]]'

Stuart

´╗┐On 7/12/20, 1:32 am, "bind-users on behalf of Anand Buddhdev" <[hidden email] on behalf of [hidden email]> wrote:

    Notice: This email is from an external sender.



    Hi folks,

    When I use "dig" to do a zone transfer, using TSIG, then the resulting
    zone is interspersed with TSIG records. Some tools, such as
    "dnssec-verify", don't like these records.

    Is there any way to tell dig not to print these TSIG records? Currently,
    I pass the zone through an awk script to filter out these records, but
    it would be nice if I could tell dig itself to suppress them.

    Regards,
    Anand Buddhdev
    _______________________________________________
    Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

    ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


    bind-users mailing list
    [hidden email]
    https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Filter out TSIG records from zone transfer

Daniel Stirnimann
In reply to this post by Anand Buddhdev
Hello Anand

this works for me:

dig -k KEY @PRIMARY ZONE +noall +answer +noidnout +onesoa AXFR

Daniel

On 06.12.20 15:31, Anand Buddhdev wrote:

> Hi folks,
>
> When I use "dig" to do a zone transfer, using TSIG, then the resulting
> zone is interspersed with TSIG records. Some tools, such as
> "dnssec-verify", don't like these records.
>
> Is there any way to tell dig not to print these TSIG records? Currently,
> I pass the zone through an awk script to filter out these records, but
> it would be nice if I could tell dig itself to suppress them.
>
> Regards,
> Anand Buddhdev
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
>

--
SWITCH
Daniel Stirnimann, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 15, direct +41 44 268 16 24
[hidden email], www.switch.ch
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Filter out TSIG records from zone transfer

Anand Buddhdev
Hey Daniel,

That's *exactly* what I was after! Thank you :)

On 07/12/2020 08:25, Daniel Stirnimann wrote:

> Hello Anand
>
> this works for me:
>
> dig -k KEY @PRIMARY ZONE +noall +answer +noidnout +onesoa AXFR
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users