[net-dns-users] 0.80: BADKEY BADSIG with TSIG; random errors
tlhackque at yahoo.com
Sat Oct 18 18:32:25 UTC 2014
I upgraded from 0.6? to 0.80, and immediately things broke.
RTs 99527, 99528, 99531 and 99571 resulted.
Quick summary for everyone:
o Random errors due to use of undefined Perl syntax ( (my|our) variable
= initializer (if|unless|for|while..)). Can hit anywhere, quite likely
in a persistent environment (e.g. mod_perl).
o tsig() now can take a filename. Some filenames are mis-parsed,
resulting in an invalid key name being sent. BADKEY errors
o axfr() now verifies responses that are TSIG-signed (because the
request is TSIG-signed). This is unconditional, and broken.
Specifically, axfr receives the response, parses it & discards the wire
data. When the time comes to verify, it reconstructs the wire data
(deleting the TSIG record and modifying the header as required).
However, encode( decode( wire_data ) ) does not always equal wire_data
bit for bit. (It will be semantically equal, however.). Since the
signature is computed bit-for-bit by the server, the Net::DNS computed
signature does not match. (One reason: label compression. Net::DNS
always does it. The server on the other end of the wire: (a) might not
(b) might compress some labels but not others (c) might use different
compression pointers from Net::DNS for the same labels.) BADSIG errors
result. Thus, the actual wire data must be saved for signed answers;
this will be an ugly fix. NOTE: This can also happen with regular
queries if you call $answer->verify(). But at least it's not automagic
for regular queries.
See the RTs for more detail.
I hope this saves someone else some pain; tracking these down is
This communication may not represent my employer's views,
if any, on the matters discussed.
More information about the net-dns-users