[net-dns-users] TSIG error when upgrading Debian Linux libnet-dns-perl package.

Dick Franks rwfranks at acm.org
Thu Aug 14 11:12:43 UTC 2014

On 7 August 2014 04:25, Jim Barber <jim.barber at primaryhealthcare.com.au>

> Hopefully this is the correct mailing list to report an issue I've
> encountered.

No it is not.  Bugs are reported using the CPAN RT system.

But as this is probably not a bug, here is ok.

I suggest you start by reading the documentation for Net::DNS::RR::TSIG and
Net::DNS::Packet (sign_tsig) and adjust your example to match.

 use Carp;
 use Net::DNS;

 my $resolver = new Net::DNS::Resolver();

 my $key_name    = 'key_name';
 my $algorithm    = 'gss.microsoft.com';
 my $gss_context = 'gss_context';

 sub gss_sign {
     carp sprintf( "gss_sign( %s, %s )\tcalled", map unpack('H*',$_), @_ );
     scalar reverse shift;    # fake sig

 my $tsig = Net::DNS::RR->new(
     name       => $key_name,
     type         => "TSIG",
     algorithm => $algorithm,
     sign_func => \&gss_sign,
     keybin     => $gss_context,      # key  => $gss_context,

 my $query = Net::DNS::Packet->new('x');

 my $reply = $resolver->send($query);

Note that the "key" is binary, not Base64 encoded. I guess this may be a
large part of your problem. The version shipped with 0.68 had the
conversions is the wrong places, which made it impossible to build an
internal key management scheme which could handle both predefined HMAC-SHA
functions and the external function needed for GSS.

In the key table, the algorithm name indicates the signing function to be
used, and the key name indicates which key to use. This association can not
be changed.

The TSIG that is presented to packet->sign_tsig() is never modified and can
be reused;  the TSIG added to the packet is a copy with the MAC and other
info added automatically.

> From version 0.68 to 0.78 of the Net::DNS perl module it looks like there
> were quite a lot of changes to the Net::DNS::RR::TSIG module.
This was a complete rewrite, for two separate reasons:
1) The internal architecture of Net::DNS::RR changed significantly between
0.68 and 0.69.
2) There was no support for TSIG verification or for signing multi-message
transactions like zone transfers (added in 0.75).

It would be interesting to see if you can make a TSIG verified zone
transfer work using your GSS setup.  This is the code I used for
HMAC-SHA256 with BIND.

 my $resolver = new Net::DNS::Resolver( nameservers => [@ip] );

 $resolver->tsig( $tsig );

 my @zone = $resolver->axfr( 'example.com', 'IN' );

 warn "Zone transfer failed: ", $resolver->errorstring, "\n" unless @zone;

 $_->print foreach @zone;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/net-dns-users/attachments/20140814/01a31c54/attachment.htm>

More information about the net-dns-users mailing list