[ldns-users] TSIG trouble

Michael Sheldon msheldon at godaddy.com
Tue May 11 22:56:57 UTC 2010 

So, it looks like my TSIG response is somehow incorrect, though drill
does not complain, NSD does.

Does anyone have a clear example of signing a *response* to a TSIG
request using ldns? I found nothing in the example apps.


Michael Sheldon
Dev-DNS Services
GoDaddy.com





  -------- Original Message --------
 Subject: Re: [ldns-users] TSIG trouble
 From: Matthijs Mekking <matthijs at NLnetLabs.nl>
 Date: Mon, May 10, 2010 6:43 am
 To: Michael Sheldon <msheldon at godaddy.com>
 Cc: ldns-users at open.nlnetlabs.nl
 
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1
 
 I have ran into a TSIG incompatibility issue between BIND9 and LDNS.
 There was a bug in BIND9 regarding the HMAC-SHA functions, it was fixed
 in 9.7.0:
 
 2834. [bug] HMAC-SHA* keys that were longer than the algorithm
 digest length were used incorrectly, leading to
 interoperability problems with other DNS
 implementations. This has been corrected.
 (Note: If an oversize key is in use, and
 compatibility is needed with an older release of
 BIND, the new tool "isc-hmac-fixup" can convert
 the key secret to a form that will work with all
 versions.) [RT #20751]
 
 If you are using SHA, this could very well be the cause.
 
 
 Best regards,
 
 Matthijs Mekking
 NLnet Labs
 
 
 
 Michael Sheldon wrote:
 > I'm writing a server that uses TSIG, and having some issues with DIG
 > against it.
 > 
 > I get the key fine, and validate it without trouble. I then sign the
 > result and return it.
 > 
 > drill is happy with it all the way around, no issues.
 > The same query with the same key using dig returns the results, but
also
 > includes:
 > ;; WARNING -- Some TSIG could not be validated
 > 
 > Any idea on what I might be looking for?
 > 
 > Using the same TSIG key in NSD works fine with both dig and drill
 > 
 > Michael Sheldon
 > 
 > 
 >
------------------------------------------------------------------------
 > 
 > _______________________________________________
 > ldns-users mailing list
 > ldns-users at open.nlnetlabs.nl
 > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.9 (GNU/Linux)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
 iQEcBAEBAgAGBQJL6A2bAAoJEA8yVCPsQCW5GBMH/RYS97SzvnQe+WRsTdQaf924
 irZwz+8R/lLOCtIo+IPw3qrsJg2Ty62x6ePX3xNpBQt0eV/Vu4Yz4VR+ct+KAQ4i
 ZcFDVAGd752tFgrOqTS1USp4i1UhY98ol6NQtxeJBFziHUyDKF4Pk18898KuddeT
 W1h5nO72Oct6S2UtStTV1xJGtGe+HK2XRFTYwGucw3FVc3GsgU4jX1fjqsiP5J+E
 FtsT2JrNwsv7wfEJ9cCUK2EviVc6I2DoN7MCa9s8edckZYsAX2P86MWq7HiVQjZE
 WrHJ3s8e8O3FZr0ZdvpCWAmeKG1Ul8NBjyw5pHS5qh4KUydQfGr4/s/Uy7RZnLU=
 =hIbi
 -----END PGP SIGNATURE-----
 
 _______________________________________________
ldns-users mailing list
ldns-users at open.nlnetlabs.nl
http://open.nlnetlabs.nl/mailman/listinfo/ldns-users

More information about the ldns-users mailing list