[net-dns-users] 0.80: BADKEY BADSIG with TSIG; random errors

tlhackque tlhackque at yahoo.com
Sat Oct 18 18:32:25 UTC 2014

I upgraded from 0.6? to 0.80, and immediately things broke.
RTs 99527, 99528, 99531 and 99571 resulted.

Quick summary for everyone:

o Random errors due to use of undefined Perl syntax ( (my|our) variable
= initializer (if|unless|for|while..)).  Can hit anywhere, quite likely
in a persistent environment (e.g. mod_perl). 

o tsig() now can take a filename.  Some filenames are mis-parsed,
resulting in an invalid key name being sent.  BADKEY errors

o axfr() now verifies responses that are TSIG-signed (because the
request is TSIG-signed).  This is unconditional, and broken. 
Specifically, axfr receives the response, parses it & discards the wire
data.  When the time comes to verify, it reconstructs the wire data
(deleting the TSIG record and modifying the header as required). 
However, encode( decode( wire_data ) ) does not always equal wire_data
bit for bit.  (It will be semantically equal, however.).  Since the
signature is computed bit-for-bit by the server, the Net::DNS computed
signature does not match.  (One reason: label compression.  Net::DNS
always does it.  The server on the other end of the wire: (a) might not
(b) might compress some labels but not others (c) might use different
compression pointers from Net::DNS for the same labels.)  BADSIG errors
result.  Thus, the actual wire data must be saved for signed answers;
this will be an ugly fix.  NOTE: This can also happen with regular
queries if you call $answer->verify().  But at least it's not automagic
for regular queries.

See the RTs for more detail.

I hope this saves someone else some pain; tracking these down is

This communication may not represent my employer's views,
if any, on the matters discussed. 

More information about the net-dns-users mailing list