[ldns-users] TSIG trouble

Michael Sheldon msheldon at godaddy.com
Wed May 12 16:46:56 UTC 2010


> With ldns_pkt_new() you can create a new DNS packet. Use the set
> functions to set the QR bit and other values to match your response
> packet. You can use ldns_pkt_tsig_sign() to add the TSIG record.

That is what I am doing. I have also done it by modifying the request
packet, same result.

drill is v1.6.1
ldns is v1.6.4
dig is v9.3.6
nsd is v3.2.4

Drill shows no errors.
Dig says: ;; WARNING -- Some TSIG could not be validated
NSD shows: bad tsig signature

Key type is hmac-md5 (hmac-md5.sig-alg.reg.int.)
Key size is 256

Same results regardless of answer packet length, 1 record or 1,000
records.

I suspect it's something simple, but without any working example, I'm
just flailing in the dark now.

Michael Sheldon
Dev-DNS Services
GoDaddy.com



-------- Original Message --------
Subject: Re: [ldns-users] TSIG trouble
From: Matthijs Mekking <matthijs at NLnetLabs.nl>
Date: Tue, May 11, 2010 11:57 pm
To: Michael Sheldon <msheldon at godaddy.com>
Cc: ldns-users at open.nlnetlabs.nl

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Michael,

With ldns_pkt_new() you can create a new DNS packet. Use the set
functions to set the QR bit and other values to match your response
packet. You can use ldns_pkt_tsig_sign() to add the TSIG record.

You are suggesting that drill does not complain about the TSIG record,
while it should? Please let me know which version of drill/ldns are you
using, and what the TSIG parameters are (algorithm: hmac-md5, data
length: ?), so I can try for myself.

Best regards,

Matthijs

Michael Sheldon wrote:
> So, it looks like my TSIG response is somehow incorrect, though drill
> does not complain, NSD does.
> 
> Does anyone have a clear example of signing a *response* to a TSIG
> request using ldns? I found nothing in the example apps.
> 
> 
> Michael Sheldon
> Dev-DNS Services
> GoDaddy.com
> 
> 
> 
> 
> 
> -------- Original Message --------
> Subject: Re: [ldns-users] TSIG trouble
> From: Matthijs Mekking <matthijs at NLnetLabs.nl>
> Date: Mon, May 10, 2010 6:43 am
> To: Michael Sheldon <msheldon at godaddy.com>
> Cc: ldns-users at open.nlnetlabs.nl
> 
> I have ran into a TSIG incompatibility issue between BIND9 and LDNS.
> There was a bug in BIND9 regarding the HMAC-SHA functions, it was fixed
> in 9.7.0:
> 
> 2834. [bug] HMAC-SHA* keys that were longer than the algorithm
> digest length were used incorrectly, leading to
> interoperability problems with other DNS
> implementations. This has been corrected.
> (Note: If an oversize key is in use, and
> compatibility is needed with an older release of
> BIND, the new tool "isc-hmac-fixup" can convert
> the key secret to a form that will work with all
> versions.) [RT #20751]
> 
> If you are using SHA, this could very well be the cause.
> 
> 
> Best regards,
> 
> Matthijs Mekking
> NLnet Labs
> 
> 
> 
> Michael Sheldon wrote:
>> I'm writing a server that uses TSIG, and having some issues with DIG
>> against it.
> 
>> I get the key fine, and validate it without trouble. I then sign the
>> result and return it.
> 
>> drill is happy with it all the way around, no issues.
>> The same query with the same key using dig returns the results, but
>> also
>> includes:
>> ;; WARNING -- Some TSIG could not be validated
> 
>> Any idea on what I might be looking for?
> 
>> Using the same TSIG key in NSD works fine with both dig and drill
> 
>> Michael Sheldon
> 
> 
> 
>> ------------------------------------------------------------------------
> 
>> _______________________________________________
>> ldns-users mailing list
>> ldns-users at open.nlnetlabs.nl
>> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users
> 

_______________________________________________
> ldns-users mailing list
> ldns-users at open.nlnetlabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users

> _______________________________________________
> ldns-users mailing list
> ldns-users at open.nlnetlabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJL6lFYAAoJEA8yVCPsQCW5RKUH/2Efm9X/e0qf5rCPgKZTyNKQ
CxaQ+vOKxjevEpTp/uXetpy5UI/VJVlnzx0R3W8C4CwfKNRO8pLcEBMDnvsAO/ct
S3XZ2lsNaIveUqc+lw9nZrXmbr7So1C/HBLVja+ohlXW6sD7LeX+sKKp8224OvFA
ieP/FYSlA9iNyHN6e2GSZ9V0PAP3PKjEacUS38FuqE8qW3W1+mqPF6Li2cw0ksfA
1dZqpajyarcDnrn2aiovRlX/taCF1+yqi6dV9FSq7y6uVa9RbMiQz6+QUVwv8lAH
tFxDzKWzvEP0xnkTk99PD8D7LuClcJHOrm/bDOejrj3SKKI8id4IaujyLDloRnc=
=+hKw
-----END PGP SIGNATURE-----




More information about the ldns-users mailing list