From msheldon at godaddy.com Thu May 6 20:31:59 2010 From: msheldon at godaddy.com (Michael Sheldon) Date: Thu, 06 May 2010 13:31:59 -0700 Subject: [ldns-users] TSIG trouble Message-ID: <20100506133159.205a61dff9fc1684c258b274662bb912.819843d9a5.wbe@email.secureserver.net> An HTML attachment was scrubbed... URL: From matthijs at NLnetLabs.nl Mon May 10 13:43:57 2010 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Mon, 10 May 2010 15:43:57 +0200 Subject: [ldns-users] TSIG trouble In-Reply-To: <20100506133159.205a61dff9fc1684c258b274662bb912.819843d9a5.wbe@email.secureserver.net> References: <20100506133159.205a61dff9fc1684c258b274662bb912.819843d9a5.wbe@email.secureserver.net> Message-ID: <4BE80D9D.6060601@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have ran into a TSIG incompatibility issue between BIND9 and LDNS. There was a bug in BIND9 regarding the HMAC-SHA functions, it was fixed in 9.7.0: 2834. [bug] HMAC-SHA* keys that were longer than the algorithm digest length were used incorrectly, leading to interoperability problems with other DNS implementations. This has been corrected. (Note: If an oversize key is in use, and compatibility is needed with an older release of BIND, the new tool "isc-hmac-fixup" can convert the key secret to a form that will work with all versions.) [RT #20751] If you are using SHA, this could very well be the cause. Best regards, Matthijs Mekking NLnet Labs Michael Sheldon wrote: > I'm writing a server that uses TSIG, and having some issues with DIG > against it. > > I get the key fine, and validate it without trouble. I then sign the > result and return it. > > drill is happy with it all the way around, no issues. > The same query with the same key using dig returns the results, but also > includes: > ;; WARNING -- Some TSIG could not be validated > > Any idea on what I might be looking for? > > Using the same TSIG key in NSD works fine with both dig and drill > > Michael Sheldon > > > ------------------------------------------------------------------------ > > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJL6A2bAAoJEA8yVCPsQCW5GBMH/RYS97SzvnQe+WRsTdQaf924 irZwz+8R/lLOCtIo+IPw3qrsJg2Ty62x6ePX3xNpBQt0eV/Vu4Yz4VR+ct+KAQ4i ZcFDVAGd752tFgrOqTS1USp4i1UhY98ol6NQtxeJBFziHUyDKF4Pk18898KuddeT W1h5nO72Oct6S2UtStTV1xJGtGe+HK2XRFTYwGucw3FVc3GsgU4jX1fjqsiP5J+E FtsT2JrNwsv7wfEJ9cCUK2EviVc6I2DoN7MCa9s8edckZYsAX2P86MWq7HiVQjZE WrHJ3s8e8O3FZr0ZdvpCWAmeKG1Ul8NBjyw5pHS5qh4KUydQfGr4/s/Uy7RZnLU= =hIbi -----END PGP SIGNATURE----- From msheldon at godaddy.com Mon May 10 20:49:02 2010 From: msheldon at godaddy.com (Michael Sheldon) Date: Mon, 10 May 2010 13:49:02 -0700 Subject: [ldns-users] TSIG trouble Message-ID: <20100510134902.205a61dff9fc1684c258b274662bb912.dde0563812.wbe@email.secureserver.net> An HTML attachment was scrubbed... URL: From msheldon at godaddy.com Tue May 11 22:56:57 2010 From: msheldon at godaddy.com (Michael Sheldon) Date: Tue, 11 May 2010 15:56:57 -0700 Subject: [ldns-users] TSIG trouble Message-ID: <20100511155657.205a61dff9fc1684c258b274662bb912.8f75ee2e57.wbe@email.secureserver.net> So, it looks like my TSIG response is somehow incorrect, though drill does not complain, NSD does. Does anyone have a clear example of signing a *response* to a TSIG request using ldns? I found nothing in the example apps. Michael Sheldon Dev-DNS Services GoDaddy.com -------- Original Message -------- Subject: Re: [ldns-users] TSIG trouble From: Matthijs Mekking Date: Mon, May 10, 2010 6:43 am To: Michael Sheldon Cc: ldns-users at open.nlnetlabs.nl -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have ran into a TSIG incompatibility issue between BIND9 and LDNS. There was a bug in BIND9 regarding the HMAC-SHA functions, it was fixed in 9.7.0: 2834. [bug] HMAC-SHA* keys that were longer than the algorithm digest length were used incorrectly, leading to interoperability problems with other DNS implementations. This has been corrected. (Note: If an oversize key is in use, and compatibility is needed with an older release of BIND, the new tool "isc-hmac-fixup" can convert the key secret to a form that will work with all versions.) [RT #20751] If you are using SHA, this could very well be the cause. Best regards, Matthijs Mekking NLnet Labs Michael Sheldon wrote: > I'm writing a server that uses TSIG, and having some issues with DIG > against it. > > I get the key fine, and validate it without trouble. I then sign the > result and return it. > > drill is happy with it all the way around, no issues. > The same query with the same key using dig returns the results, but also > includes: > ;; WARNING -- Some TSIG could not be validated > > Any idea on what I might be looking for? > > Using the same TSIG key in NSD works fine with both dig and drill > > Michael Sheldon > > > ------------------------------------------------------------------------ > > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJL6A2bAAoJEA8yVCPsQCW5GBMH/RYS97SzvnQe+WRsTdQaf924 irZwz+8R/lLOCtIo+IPw3qrsJg2Ty62x6ePX3xNpBQt0eV/Vu4Yz4VR+ct+KAQ4i ZcFDVAGd752tFgrOqTS1USp4i1UhY98ol6NQtxeJBFziHUyDKF4Pk18898KuddeT W1h5nO72Oct6S2UtStTV1xJGtGe+HK2XRFTYwGucw3FVc3GsgU4jX1fjqsiP5J+E FtsT2JrNwsv7wfEJ9cCUK2EviVc6I2DoN7MCa9s8edckZYsAX2P86MWq7HiVQjZE WrHJ3s8e8O3FZr0ZdvpCWAmeKG1Ul8NBjyw5pHS5qh4KUydQfGr4/s/Uy7RZnLU= =hIbi -----END PGP SIGNATURE----- _______________________________________________ ldns-users mailing list ldns-users at open.nlnetlabs.nl http://open.nlnetlabs.nl/mailman/listinfo/ldns-users From matthijs at NLnetLabs.nl Wed May 12 06:57:34 2010 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Wed, 12 May 2010 08:57:34 +0200 Subject: [ldns-users] TSIG trouble In-Reply-To: <20100511155657.205a61dff9fc1684c258b274662bb912.8f75ee2e57.wbe@email.secureserver.net> References: <20100511155657.205a61dff9fc1684c258b274662bb912.8f75ee2e57.wbe@email.secureserver.net> Message-ID: <4BEA515E.1050200@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Michael, With ldns_pkt_new() you can create a new DNS packet. Use the set functions to set the QR bit and other values to match your response packet. You can use ldns_pkt_tsig_sign() to add the TSIG record. You are suggesting that drill does not complain about the TSIG record, while it should? Please let me know which version of drill/ldns are you using, and what the TSIG parameters are (algorithm: hmac-md5, data length: ?), so I can try for myself. Best regards, Matthijs Michael Sheldon wrote: > So, it looks like my TSIG response is somehow incorrect, though drill > does not complain, NSD does. > > Does anyone have a clear example of signing a *response* to a TSIG > request using ldns? I found nothing in the example apps. > > > Michael Sheldon > Dev-DNS Services > GoDaddy.com > > > > > > -------- Original Message -------- > Subject: Re: [ldns-users] TSIG trouble > From: Matthijs Mekking > Date: Mon, May 10, 2010 6:43 am > To: Michael Sheldon > Cc: ldns-users at open.nlnetlabs.nl > > I have ran into a TSIG incompatibility issue between BIND9 and LDNS. > There was a bug in BIND9 regarding the HMAC-SHA functions, it was fixed > in 9.7.0: > > 2834. [bug] HMAC-SHA* keys that were longer than the algorithm > digest length were used incorrectly, leading to > interoperability problems with other DNS > implementations. This has been corrected. > (Note: If an oversize key is in use, and > compatibility is needed with an older release of > BIND, the new tool "isc-hmac-fixup" can convert > the key secret to a form that will work with all > versions.) [RT #20751] > > If you are using SHA, this could very well be the cause. > > > Best regards, > > Matthijs Mekking > NLnet Labs > > > > Michael Sheldon wrote: >> I'm writing a server that uses TSIG, and having some issues with DIG >> against it. > >> I get the key fine, and validate it without trouble. I then sign the >> result and return it. > >> drill is happy with it all the way around, no issues. >> The same query with the same key using dig returns the results, but >> also >> includes: >> ;; WARNING -- Some TSIG could not be validated > >> Any idea on what I might be looking for? > >> Using the same TSIG key in NSD works fine with both dig and drill > >> Michael Sheldon > > > >> ------------------------------------------------------------------------ > >> _______________________________________________ >> ldns-users mailing list >> ldns-users at open.nlnetlabs.nl >> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJL6lFYAAoJEA8yVCPsQCW5RKUH/2Efm9X/e0qf5rCPgKZTyNKQ CxaQ+vOKxjevEpTp/uXetpy5UI/VJVlnzx0R3W8C4CwfKNRO8pLcEBMDnvsAO/ct S3XZ2lsNaIveUqc+lw9nZrXmbr7So1C/HBLVja+ohlXW6sD7LeX+sKKp8224OvFA ieP/FYSlA9iNyHN6e2GSZ9V0PAP3PKjEacUS38FuqE8qW3W1+mqPF6Li2cw0ksfA 1dZqpajyarcDnrn2aiovRlX/taCF1+yqi6dV9FSq7y6uVa9RbMiQz6+QUVwv8lAH tFxDzKWzvEP0xnkTk99PD8D7LuClcJHOrm/bDOejrj3SKKI8id4IaujyLDloRnc= =+hKw -----END PGP SIGNATURE----- From matthijs at NLnetLabs.nl Wed May 12 07:04:14 2010 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Wed, 12 May 2010 09:04:14 +0200 Subject: [ldns-users] How to use _searchlist provided by ldns_struct_resolver? In-Reply-To: <4BCC8BBD.8070902@nic.cz> References: <4BCC8BBD.8070902@nic.cz> Message-ID: <4BEA52EE.4050702@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Zbynek, Sorry for the late follow-up. You are right that making a dname from string always returns an absolute dname. You can try making a dname with ldns_dname_new_frm_data(). Best regards, Matthijs Zbynek Michl wrote: > Hello, > > I am trying to use search list, but unsuccessfully. Here is an sample: > > --- CODE --- > ldns_rdf *domain = ldns_dname_new_frm_str("myhostname"); > ldns_rdf *search = ldns_dname_new_frm_str("mydomain.cz"); > > ldns_resolver_push_searchlist(res, search); > > p = ldns_resolver_search(res, domain, LDNS_RR_TYPE_A, > LDNS_RR_CLASS_IN, LDNS_RD); > --- /CODE --- > > The problem is that "myhostname.mydomain.cz" will never be tried, > because of ldns_dname_new_frm_str() adds "." to the end of "myhostname" > and therefore ldns_resolver_search() will not concatenate "mydomain.cz". > So how can I create "myhostname" RDF without trailing "."? Or any other > suggestion? > > Cheers, > Zbynek > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJL6lLsAAoJEA8yVCPsQCW5Ss8IAItekTcmCrBH/GbCYgbLIVMO zlydOWWoYPbwWN23uT53v6/b9GaCl85vlxQk8XizcyffFpHvNpydbLAAZQ6oF0rP JtzsTlR9vmNvoTfr23ZYAlALKnacDhb3W34nAFwZwoOf8KhGvI36D9IvY9NI4r/K bt9BQm/wGF2yyqUsCp7D8/NaHbgzP7J2hU+58A8I14cuXRGOv3KEWPHZA/hLTxfI B6YflGVdqBRXVKr8tkB7hc4SPwrSyaFiWEyp13fCyTzJ+uUk9xijO1Ec0QeGLd1L AKUQeGRs8Ci+4Xu5N37L2galQVezjFhLXTE6XGwO0yZ/9V9ZChdSoG0X1u7JiiU= =wPt5 -----END PGP SIGNATURE----- From msheldon at godaddy.com Wed May 12 16:46:56 2010 From: msheldon at godaddy.com (Michael Sheldon) Date: Wed, 12 May 2010 09:46:56 -0700 Subject: [ldns-users] TSIG trouble Message-ID: <20100512094656.205a61dff9fc1684c258b274662bb912.62011335a3.wbe@email.secureserver.net> > With ldns_pkt_new() you can create a new DNS packet. Use the set > functions to set the QR bit and other values to match your response > packet. You can use ldns_pkt_tsig_sign() to add the TSIG record. That is what I am doing. I have also done it by modifying the request packet, same result. drill is v1.6.1 ldns is v1.6.4 dig is v9.3.6 nsd is v3.2.4 Drill shows no errors. Dig says: ;; WARNING -- Some TSIG could not be validated NSD shows: bad tsig signature Key type is hmac-md5 (hmac-md5.sig-alg.reg.int.) Key size is 256 Same results regardless of answer packet length, 1 record or 1,000 records. I suspect it's something simple, but without any working example, I'm just flailing in the dark now. Michael Sheldon Dev-DNS Services GoDaddy.com -------- Original Message -------- Subject: Re: [ldns-users] TSIG trouble From: Matthijs Mekking Date: Tue, May 11, 2010 11:57 pm To: Michael Sheldon Cc: ldns-users at open.nlnetlabs.nl -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Michael, With ldns_pkt_new() you can create a new DNS packet. Use the set functions to set the QR bit and other values to match your response packet. You can use ldns_pkt_tsig_sign() to add the TSIG record. You are suggesting that drill does not complain about the TSIG record, while it should? Please let me know which version of drill/ldns are you using, and what the TSIG parameters are (algorithm: hmac-md5, data length: ?), so I can try for myself. Best regards, Matthijs Michael Sheldon wrote: > So, it looks like my TSIG response is somehow incorrect, though drill > does not complain, NSD does. > > Does anyone have a clear example of signing a *response* to a TSIG > request using ldns? I found nothing in the example apps. > > > Michael Sheldon > Dev-DNS Services > GoDaddy.com > > > > > > -------- Original Message -------- > Subject: Re: [ldns-users] TSIG trouble > From: Matthijs Mekking > Date: Mon, May 10, 2010 6:43 am > To: Michael Sheldon > Cc: ldns-users at open.nlnetlabs.nl > > I have ran into a TSIG incompatibility issue between BIND9 and LDNS. > There was a bug in BIND9 regarding the HMAC-SHA functions, it was fixed > in 9.7.0: > > 2834. [bug] HMAC-SHA* keys that were longer than the algorithm > digest length were used incorrectly, leading to > interoperability problems with other DNS > implementations. This has been corrected. > (Note: If an oversize key is in use, and > compatibility is needed with an older release of > BIND, the new tool "isc-hmac-fixup" can convert > the key secret to a form that will work with all > versions.) [RT #20751] > > If you are using SHA, this could very well be the cause. > > > Best regards, > > Matthijs Mekking > NLnet Labs > > > > Michael Sheldon wrote: >> I'm writing a server that uses TSIG, and having some issues with DIG >> against it. > >> I get the key fine, and validate it without trouble. I then sign the >> result and return it. > >> drill is happy with it all the way around, no issues. >> The same query with the same key using dig returns the results, but >> also >> includes: >> ;; WARNING -- Some TSIG could not be validated > >> Any idea on what I might be looking for? > >> Using the same TSIG key in NSD works fine with both dig and drill > >> Michael Sheldon > > > >> ------------------------------------------------------------------------ > >> _______________________________________________ >> ldns-users mailing list >> ldns-users at open.nlnetlabs.nl >> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJL6lFYAAoJEA8yVCPsQCW5RKUH/2Efm9X/e0qf5rCPgKZTyNKQ CxaQ+vOKxjevEpTp/uXetpy5UI/VJVlnzx0R3W8C4CwfKNRO8pLcEBMDnvsAO/ct S3XZ2lsNaIveUqc+lw9nZrXmbr7So1C/HBLVja+ohlXW6sD7LeX+sKKp8224OvFA ieP/FYSlA9iNyHN6e2GSZ9V0PAP3PKjEacUS38FuqE8qW3W1+mqPF6Li2cw0ksfA 1dZqpajyarcDnrn2aiovRlX/taCF1+yqi6dV9FSq7y6uVa9RbMiQz6+QUVwv8lAH tFxDzKWzvEP0xnkTk99PD8D7LuClcJHOrm/bDOejrj3SKKI8id4IaujyLDloRnc= =+hKw -----END PGP SIGNATURE----- From msheldon at godaddy.com Wed May 12 23:18:57 2010 From: msheldon at godaddy.com (Michael Sheldon) Date: Wed, 12 May 2010 16:18:57 -0700 Subject: [ldns-users] TSIG trouble Message-ID: <20100512161857.205a61dff9fc1684c258b274662bb912.118c04e6ae.wbe@email.secureserver.net> OK, managed to get everyone happy, dig, nsd and drill all agree on a good signature... Except if a tcp transmission is split into multiple packets. The way I read the RFCs... For a simple reply, the tsig MAC of the query is passed to ldns_pkt_tsig_sign For multi-packet replies (big AXFR), the digest of the preceding data is used for subsequent packets. But, if I try using the tsig MAC of the previous signed DNS packet, the signature fails in dig and nsd. It also fails if I just keep using the query MAC. Ideas? Michael Sheldon Dev-DNS Services GoDaddy.com From msheldon at godaddy.com Fri May 14 18:07:45 2010 From: msheldon at godaddy.com (Michael Sheldon) Date: Fri, 14 May 2010 11:07:45 -0700 Subject: [ldns-users] TCP, AXFR and TSIG Message-ID: <20100514110745.205a61dff9fc1684c258b274662bb912.4140b24fb6.wbe@email.secureserver.net> An HTML attachment was scrubbed... URL: From matthijs at NLnetLabs.nl Wed May 19 13:56:16 2010 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Wed, 19 May 2010 15:56:16 +0200 Subject: [ldns-users] Improper randomness in ldns_resolver_nameservers_randomize() function In-Reply-To: <4BCF33D0.1040303@nic.cz> References: <4BCF33D0.1040303@nic.cz> Message-ID: <4BF3EE00.60401@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Zbynek, I have changed (in trunk) the function ldns_resolver_nameservers_randomize(...) to use a different random generator. You can now initialize randomness yourself by calling ldns_init_random(...). Best regards, Matthijs Zbynek Michl wrote: > Hi, > > there is no seed initialization before random() function and it leads to > select the first resolver everytime from the list if it contains exactly > two resolvers. > I guess that init with "srandom((unsigned int)time(NULL))" should be > enough for this purpose. > > Thanks, > Zbynek > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJL8+3+AAoJEA8yVCPsQCW51wkH/iOefTUrk50u1lZrsXEa7+AM 3nTliXoJtuhs8h1yb4uYUAiy6otKXYRkXT9MsvM4g8sOsXc5u013zz7hWry9U4EI bn8ozcGXmcDudOBnOKrN19icQlSnzoWipthhCc7W2Yn+t3Ev452+Df/31dfVW7th SOVDdF9nureHiFPGfxdRI7hWDQUvq8Y9Ke7LYxi1MCEBSQcMv8AEWpHG/UpoZwil ripMA59Vw1hmqqqufbtWlBYIQ64402jl90UaWYKf7E/MVfZMctsvD6BB0ChV78ne KOhF3bFG0BmjwD2mzGjvV/+umPLqIWtDUKcrlXoLr4+un6StjT4yaMUiiXFb/wc= =aqD7 -----END PGP SIGNATURE----- From wouter at NLnetLabs.nl Wed May 26 12:18:03 2010 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Wed, 26 May 2010 14:18:03 +0200 Subject: [ldns-users] building drill dies In-Reply-To: References: Message-ID: <4BFD117B.7080402@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Chris, Fixed in svn trunk of ldns. Thanks for the detailed followup (offlist) with Gentoo ebuild logs. Best regards, Wouter On 04/29/2010 04:05 PM, Chris Smith wrote: > When trying to build drill with ldns (I'm using svn trunk) and the > Gentoo ebuild system the autoreconf dies with: > aclocal-1.10: couldn't open directory `m4': No such file or directory > > I can remove the line: > ACLOCAL_AMFLAGS = -Im4 > from drill's Makefile.in and all works fine. > > Not a programmer so I don't know the best way to fix this, but I'm > guessing there should either be an m4 directory or that line should > not be there. > > Chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkv9EXsACgkQkDLqNwOhpPgmCgCfeAggHkZ3m1yrYlvyRtgNiu28 kGEAnjZEARE6uco8JCnN7qKVMyXxI8ok =PHRL -----END PGP SIGNATURE-----