[ldns-users] TSIG trouble

Matthijs Mekking matthijs at NLnetLabs.nl
Wed May 12 06:57:34 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Michael,

With ldns_pkt_new() you can create a new DNS packet. Use the set
functions to set the QR bit and other values to match your response
packet. You can use ldns_pkt_tsig_sign() to add the TSIG record.

You are suggesting that drill does not complain about the TSIG record,
while it should? Please let me know which version of drill/ldns are you
using, and what the TSIG parameters are (algorithm: hmac-md5, data
length: ?), so I can try for myself.

Best regards,

Matthijs

Michael Sheldon wrote:
> So, it looks like my TSIG response is somehow incorrect, though drill
> does not complain, NSD does.
> 
> Does anyone have a clear example of signing a *response* to a TSIG
> request using ldns? I found nothing in the example apps.
> 
> 
> Michael Sheldon
> Dev-DNS Services
> GoDaddy.com
> 
> 
> 
> 
> 
>   -------- Original Message --------
>  Subject: Re: [ldns-users] TSIG trouble
>  From: Matthijs Mekking <matthijs at NLnetLabs.nl>
>  Date: Mon, May 10, 2010 6:43 am
>  To: Michael Sheldon <msheldon at godaddy.com>
>  Cc: ldns-users at open.nlnetlabs.nl
>  
> I have ran into a TSIG incompatibility issue between BIND9 and LDNS.
> There was a bug in BIND9 regarding the HMAC-SHA functions, it was fixed
> in 9.7.0:
> 
> 2834. [bug] HMAC-SHA* keys that were longer than the algorithm
> digest length were used incorrectly, leading to
> interoperability problems with other DNS
> implementations. This has been corrected.
> (Note: If an oversize key is in use, and
> compatibility is needed with an older release of
> BIND, the new tool "isc-hmac-fixup" can convert
> the key secret to a form that will work with all
> versions.) [RT #20751]
> 
> If you are using SHA, this could very well be the cause.
> 
> 
> Best regards,
> 
> Matthijs Mekking
> NLnet Labs
> 
> 
> 
> Michael Sheldon wrote:
>> I'm writing a server that uses TSIG, and having some issues with DIG
>> against it.
> 
>> I get the key fine, and validate it without trouble. I then sign the
>> result and return it.
> 
>> drill is happy with it all the way around, no issues.
>> The same query with the same key using dig returns the results, but
>> also
>> includes:
>> ;; WARNING -- Some TSIG could not be validated
> 
>> Any idea on what I might be looking for?
> 
>> Using the same TSIG key in NSD works fine with both dig and drill
> 
>> Michael Sheldon
> 
> 
> 
>> ------------------------------------------------------------------------
> 
>> _______________________________________________
>> ldns-users mailing list
>> ldns-users at open.nlnetlabs.nl
>> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users
> 

_______________________________________________
> ldns-users mailing list
> ldns-users at open.nlnetlabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users

> _______________________________________________
> ldns-users mailing list
> ldns-users at open.nlnetlabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJL6lFYAAoJEA8yVCPsQCW5RKUH/2Efm9X/e0qf5rCPgKZTyNKQ
CxaQ+vOKxjevEpTp/uXetpy5UI/VJVlnzx0R3W8C4CwfKNRO8pLcEBMDnvsAO/ct
S3XZ2lsNaIveUqc+lw9nZrXmbr7So1C/HBLVja+ohlXW6sD7LeX+sKKp8224OvFA
ieP/FYSlA9iNyHN6e2GSZ9V0PAP3PKjEacUS38FuqE8qW3W1+mqPF6Li2cw0ksfA
1dZqpajyarcDnrn2aiovRlX/taCF1+yqi6dV9FSq7y6uVa9RbMiQz6+QUVwv8lAH
tFxDzKWzvEP0xnkTk99PD8D7LuClcJHOrm/bDOejrj3SKKI8id4IaujyLDloRnc=
=+hKw
-----END PGP SIGNATURE-----



More information about the ldns-users mailing list