<html><body><span style="font-family:Verdana; color:#000000; font-size:10pt;"><div>So, as it turns out, ldns cannot do multiple-packet responses with TSIG as written.</div><div><br></div><div>When a transaction is split across multiple DNS packets in a TCP transaction (like for very large AXFR), the second and subsequent signatures omit all but the time-related TSIG fields from the digest. Note that none of this is mentioned in the RFC, I had to trace the nsd code to figure it out.<br></div><div><br></div><div>To fix this, I had to modify the static function ldns_tsig_mac_new, adding a parameter int tsig_timers_only then adding code in the function to omit the other TSIG fields from the digest. This also resulted in modifying the functions ldns_pkt_tsig_verify and ldns_pkt_tsig_sign to pass 0 for that parameter. I added the function ldns_pkt_tsig_sign with an additional parameter int tsig_timers_only to allow for signing chained packets.</div><div><br></div><div>What this code does NOT yet do is properly validate incoming multiple-packet transactions. That would require additional modifications to ldns_pkt_tsig_verify or adding a separate function to avoid backwards compatibility issues.</div><div><br></div><div>All changes are ldns-1.6.4<br></div><div><br></div><div>Diff of ldns/tsig.h:</div><div><br></div><div>55d54<br><
ldns_status ldns_pkt_tsig_sign_multiple(ldns_pkt *pkt, const char
*key_name, const char *key_data, uint16_t fudge, const char
*algorithm_name, ldns_rdf *query_mac, int tsig_timers_only);</div><div><br></div><div>Diff of tsig.c<br></div><div><br></div><div>152c152<br><               ldns_rdf *other_data_rdf, ldns_rdf *orig_mac_rdf, int tsig_timers_only)<br>---<br>>               ldns_rdf *other_data_rdf, ldns_rdf *orig_mac_rdf)<br>174,179c174,177<br><       if(!tsig_timers_only){<br><               (void)ldns_rdf2buffer_wire(data_buffer, key_name_rdf);<br><               ldns_buffer_write_u16(data_buffer, LDNS_RR_CLASS_ANY);<br><               ldns_buffer_write_u32(data_buffer, 0);<br><               (void)ldns_rdf2buffer_wire(data_buffer, algorithm_rdf);<br><       }<br>---<br>>       (void)ldns_rdf2buffer_wire(data_buffer, key_name_rdf);<br>>       ldns_buffer_write_u16(data_buffer, LDNS_RR_CLASS_ANY);<br>>       ldns_buffer_write_u32(data_buffer, 0);<br>>       (void)ldns_rdf2buffer_wire(data_buffer, algorithm_rdf);<br>182,185c180,181<br><       if(!tsig_timers_only){<br><               (void)ldns_rdf2buffer_wire(data_buffer, error_rdf);<br><               (void)ldns_rdf2buffer_wire(data_buffer, other_data_rdf);<br><       }<br>---<br>>       (void)ldns_rdf2buffer_wire(data_buffer, error_rdf);<br>>       (void)ldns_rdf2buffer_wire(data_buffer, other_data_rdf);<br>275c271<br><                       time_signed_rdf, error_rdf, other_data_rdf, orig_mac_rdf, 0);<br>---<br>>                       time_signed_rdf, error_rdf, other_data_rdf, orig_mac_rdf);<br>305,311d300<br><       return ldns_pkt_tsig_sign_multiple(pkt, key_name, key_data, fudge, algorithm_name, query_mac, 0);<br>< }<br>< <br>< ldns_status<br>< ldns_pkt_tsig_sign_multiple(ldns_pkt *pkt, const char *key_name, const char *key_data,<br><               uint16_t fudge, const char *algorithm_name, ldns_rdf *query_mac, int tsig_timers_only)<br>< {<br>360c349<br><                       time_signed_rdf, error_rdf, other_data_rdf, query_mac, tsig_timers_only);<br>---<br>>                       time_signed_rdf, error_rdf, other_data_rdf, query_mac);<br>[msheldon@workstation src]$ diff ldns-1.6.4-new/tsig.c ldns-1.6.4/tsig.c <br>152c152<br><               ldns_rdf *other_data_rdf, ldns_rdf *orig_mac_rdf, int tsig_timers_only)<br>---<br>>               ldns_rdf *other_data_rdf, ldns_rdf *orig_mac_rdf)<br>174,179c174,177<br><       if(!tsig_timers_only){<br><               (void)ldns_rdf2buffer_wire(data_buffer, key_name_rdf);<br><               ldns_buffer_write_u16(data_buffer, LDNS_RR_CLASS_ANY);<br><               ldns_buffer_write_u32(data_buffer, 0);<br><               (void)ldns_rdf2buffer_wire(data_buffer, algorithm_rdf);<br><       }<br>---<br>>       (void)ldns_rdf2buffer_wire(data_buffer, key_name_rdf);<br>>       ldns_buffer_write_u16(data_buffer, LDNS_RR_CLASS_ANY);<br>>       ldns_buffer_write_u32(data_buffer, 0);<br>>       (void)ldns_rdf2buffer_wire(data_buffer, algorithm_rdf);<br>182,185c180,181<br><       if(!tsig_timers_only){<br><               (void)ldns_rdf2buffer_wire(data_buffer, error_rdf);<br><               (void)ldns_rdf2buffer_wire(data_buffer, other_data_rdf);<br><       }<br>---<br>>       (void)ldns_rdf2buffer_wire(data_buffer, error_rdf);<br>>       (void)ldns_rdf2buffer_wire(data_buffer, other_data_rdf);<br>275c271<br><                       time_signed_rdf, error_rdf, other_data_rdf, orig_mac_rdf, 0);<br>---<br>>                       time_signed_rdf, error_rdf, other_data_rdf, orig_mac_rdf);<br>305,311d300<br><       return ldns_pkt_tsig_sign_multiple(pkt, key_name, key_data, fudge, algorithm_name, query_mac, 0);<br>< }<br>< <br>< ldns_status<br>< ldns_pkt_tsig_sign_multiple(ldns_pkt *pkt, const char *key_name, const char *key_data,<br><               uint16_t fudge, const char *algorithm_name, ldns_rdf *query_mac, int tsig_timers_only)<br>< {<br>360c349<br><                       time_signed_rdf, error_rdf, other_data_rdf, query_mac, tsig_timers_only);<br>---<br>>                       time_signed_rdf, error_rdf, other_data_rdf, query_mac);<br><br></div><div><br></div><div>Michael Sheldon<br>Dev-DNS Services<br>GoDaddy.com</div><div><br></div></span></body></html>