[ldns-users] TSIG trouble
Matthijs Mekking
matthijs at NLnetLabs.nl
Wed May 12 06:57:34 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Michael,
With ldns_pkt_new() you can create a new DNS packet. Use the set
functions to set the QR bit and other values to match your response
packet. You can use ldns_pkt_tsig_sign() to add the TSIG record.
You are suggesting that drill does not complain about the TSIG record,
while it should? Please let me know which version of drill/ldns are you
using, and what the TSIG parameters are (algorithm: hmac-md5, data
length: ?), so I can try for myself.
Best regards,
Matthijs
Michael Sheldon wrote:
> So, it looks like my TSIG response is somehow incorrect, though drill
> does not complain, NSD does.
>
> Does anyone have a clear example of signing a *response* to a TSIG
> request using ldns? I found nothing in the example apps.
>
>
> Michael Sheldon
> Dev-DNS Services
> GoDaddy.com
>
>
>
>
>
> -------- Original Message --------
> Subject: Re: [ldns-users] TSIG trouble
> From: Matthijs Mekking <matthijs at NLnetLabs.nl>
> Date: Mon, May 10, 2010 6:43 am
> To: Michael Sheldon <msheldon at godaddy.com>
> Cc: ldns-users at open.nlnetlabs.nl
>
> I have ran into a TSIG incompatibility issue between BIND9 and LDNS.
> There was a bug in BIND9 regarding the HMAC-SHA functions, it was fixed
> in 9.7.0:
>
> 2834. [bug] HMAC-SHA* keys that were longer than the algorithm
> digest length were used incorrectly, leading to
> interoperability problems with other DNS
> implementations. This has been corrected.
> (Note: If an oversize key is in use, and
> compatibility is needed with an older release of
> BIND, the new tool "isc-hmac-fixup" can convert
> the key secret to a form that will work with all
> versions.) [RT #20751]
>
> If you are using SHA, this could very well be the cause.
>
>
> Best regards,
>
> Matthijs Mekking
> NLnet Labs
>
>
>
> Michael Sheldon wrote:
>> I'm writing a server that uses TSIG, and having some issues with DIG
>> against it.
>
>> I get the key fine, and validate it without trouble. I then sign the
>> result and return it.
>
>> drill is happy with it all the way around, no issues.
>> The same query with the same key using dig returns the results, but
>> also
>> includes:
>> ;; WARNING -- Some TSIG could not be validated
>
>> Any idea on what I might be looking for?
>
>> Using the same TSIG key in NSD works fine with both dig and drill
>
>> Michael Sheldon
>
>
>
>> ------------------------------------------------------------------------
>
>> _______________________________________________
>> ldns-users mailing list
>> ldns-users at open.nlnetlabs.nl
>> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users
>
_______________________________________________
> ldns-users mailing list
> ldns-users at open.nlnetlabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users
> _______________________________________________
> ldns-users mailing list
> ldns-users at open.nlnetlabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBAgAGBQJL6lFYAAoJEA8yVCPsQCW5RKUH/2Efm9X/e0qf5rCPgKZTyNKQ
CxaQ+vOKxjevEpTp/uXetpy5UI/VJVlnzx0R3W8C4CwfKNRO8pLcEBMDnvsAO/ct
S3XZ2lsNaIveUqc+lw9nZrXmbr7So1C/HBLVja+ohlXW6sD7LeX+sKKp8224OvFA
ieP/FYSlA9iNyHN6e2GSZ9V0PAP3PKjEacUS38FuqE8qW3W1+mqPF6Li2cw0ksfA
1dZqpajyarcDnrn2aiovRlX/taCF1+yqi6dV9FSq7y6uVa9RbMiQz6+QUVwv8lAH
tFxDzKWzvEP0xnkTk99PD8D7LuClcJHOrm/bDOejrj3SKKI8id4IaujyLDloRnc=
=+hKw
-----END PGP SIGNATURE-----
More information about the ldns-users
mailing list