[ldns-users] TSIG trouble

Matthijs Mekking matthijs at NLnetLabs.nl
Mon May 10 13:43:57 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have ran into a TSIG incompatibility issue between BIND9 and LDNS.
There was a bug in BIND9 regarding the HMAC-SHA functions, it was fixed
in 9.7.0:

2834. [bug]	HMAC-SHA* keys that were longer than the algorithm
		digest length were used incorrectly, leading to
		interoperability problems with other DNS
		implementations.  This has been corrected.
		(Note: If an oversize key is in use, and
		compatibility is needed with an older release of
		BIND, the new tool "isc-hmac-fixup" can convert
		the key secret to a form that will work with all
		versions.) [RT #20751]

If you are using SHA, this could very well be the cause.


Best regards,

Matthijs Mekking
NLnet Labs



Michael Sheldon wrote:
> I'm writing a server that uses TSIG, and having some issues with DIG
> against it.
> 
> I get the key fine, and validate it without trouble. I then sign the
> result and return it.
> 
> drill is happy with it all the way around, no issues.
> The same query with the same key using dig returns the results, but also
> includes:
> ;; WARNING -- Some TSIG could not be validated
> 
> Any idea on what I might be looking for?
> 
> Using the same TSIG key in NSD works fine with both dig and drill
> 
> Michael Sheldon
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> ldns-users mailing list
> ldns-users at open.nlnetlabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJL6A2bAAoJEA8yVCPsQCW5GBMH/RYS97SzvnQe+WRsTdQaf924
irZwz+8R/lLOCtIo+IPw3qrsJg2Ty62x6ePX3xNpBQt0eV/Vu4Yz4VR+ct+KAQ4i
ZcFDVAGd752tFgrOqTS1USp4i1UhY98ol6NQtxeJBFziHUyDKF4Pk18898KuddeT
W1h5nO72Oct6S2UtStTV1xJGtGe+HK2XRFTYwGucw3FVc3GsgU4jX1fjqsiP5J+E
FtsT2JrNwsv7wfEJ9cCUK2EviVc6I2DoN7MCa9s8edckZYsAX2P86MWq7HiVQjZE
WrHJ3s8e8O3FZr0ZdvpCWAmeKG1Ul8NBjyw5pHS5qh4KUydQfGr4/s/Uy7RZnLU=
=hIbi
-----END PGP SIGNATURE-----

More information about the ldns-users mailing list