[nsd-users] nsd-xfer using TSIG - read_tsig_key_data()

Matthijs Mekking matthijs at NLnetLabs.nl
Tue Feb 16 09:38:55 UTC 2010

Hash: SHA1

Hi Paul,

This info is explained in the README file ;).

But fair enough, I agree that a useful pointer could also be in the manpage.

Best regards,


Paul Wouters wrote:
> Hi,
> I was trying to use nsd-xfer with TSIG, and it took quite some time to
> figure
> out, as the man page only mentions it is in the form of "tsiginfo".
> I tested and it did not seem to be the same format as a key: section in the
> nsd.conf file (Feature request: use the same format as the key: clause)
> Looking through the source, I was confused about the simplicity of the
> ahum "parser" :)
> read_tsig_key_data() is called with a file pointer and is suppoed to
> return the tsig_key_type
> It uses tsig_read_line(), a small routine to read and strip a line.
> The first line read is ignored, apparently it thinks this might contain
> the IP address
> that is not used, as that is specified on the command line to nsd-xfer.
> It would be a
> good candidate to go.
> The second line reads the key name, and runs it through dname_parse(). I
> guess to verify
> the keyname is a valid RRlabel, then stores it.
> The third line reads the key algorithm. Then it runs atoi() on it, so I
> guess me specifying
> "hmac-md5" was wrong. Looking at RFC2845 didn't give me the answer, but
> apparently I was
> looking for "157" if I can trust tsig.h (and testing shows I can)
> I would have send a patch if the man pages were kept in xml format, but
> since writing in roff is only barely more fun then stabbing yourself in
> the eye you will have to accept this "diff" in text form:
> old text:
>        -T tsiginfo
>               Use  TSIG  to  verify  the zone transfer. The tsiginfo
> file must
>               contain the TSIG key information. The file is removed
> upon  suc-
>               cessful reading of the key.
> new text:
>        -T tsiginfo
>               Use  TSIG  to  verify  the zone transfer. The tsiginfo
> file must
>               contain the TSIG key information and is removed upon  suc-
>               cessful reading of the key. The file must contain exactly
> four
>               lines containing the following items in this specific order:
>               <comment>
>               <keyname>
>               <tsig algorithm number>
>               <tsig secret in base64>
>               The keyname must be a valid RRlabel (alphanumeric, dots
> and "-" only)
>               Currently supposed tsig algorithms are 157 (hmac-md5), 158
> (hmac-sha1)
>               and 159 (hmac-sha256)
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users

Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the nsd-users mailing list