[Pdns-dev] TLSA certificate field type is incorrect

Pieter Lexis pieter.lexis at os3.nl
Mon Jan 16 23:52:51 CET 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi *,

I'm doing a small academic study on DANE/TLSA and came across the following:

The current implementation sends (as far as I can see) incorrect data.
The record returned is larger than the actual data and does not match.

- ---------------------------------------------
$ drill  _443._tcp.dane.kiev.practicum.os3.nl. TYPE65468
@kiev.studlab.os3.nl
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 29600
;; flags: qr aa rd ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; _443._tcp.dane.kiev.practicum.os3.nl.        IN      TYPE65468

;; ANSWER SECTION:
_443._tcp.dane.kiev.practicum.os3.nl.   300     IN      TYPE65468 \# 99
010002f3579eedfe9cd1e71ce9bd3d6fbefce5af78d7c7f9e38df675eeb7d1d779e1d73a79ef5eddce3d75ee78efbd3c776dfa778738d777377bdedee387fdebd7badf9f79f1a6b8d74e3de7ce38d76edcd38f3cdf9d377b96f4db871fedaf1fe9af78

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 2 msec
;; SERVER: 145.100.104.48
;; WHEN: Mon Jan 16 19:48:35 2012
;; MSG SIZE  rcvd: 165
- ---------------------------------------------

The draft-ietf-dane-protocol-14 document[0] specifies the 'Certificate
for Association'  field as follows:

      ...  The field contains the bytes
      to be matched or the hash of the bytes to be matched.
      ...

And it specifies the presentation of the field as follows:

      The certificate for association field MUST be represented as a
      string of hexadecimal characters.  Whitespace is allowed within
      the string of hexadecimal characters.

I've patched my pdns as the attached diff shows and it now returns the
correct data (a.k.a the data in the database).

- ---------------------------------------------
$ drill  _443._tcp.dane.kiev.practicum.os3.nl. TYPE65468
@kiev.studlab.os3.nl
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 20617
;; flags: qr aa rd ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; _443._tcp.dane.kiev.practicum.os3.nl.        IN      TYPE65468

;; ANSWER SECTION:
_443._tcp.dane.kiev.practicum.os3.nl.   300     IN      TYPE65468 \# 67
01000281ee7f6c0ecc6b09b7785a9418f54432de630dd54dc6ee9e3c49de547708d236d4c413c3e97e44f969e635958aa410495844127c04883503e5b024cf7a8f6a94

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 1 msec
;; SERVER: 145.100.104.48
;; WHEN: Mon Jan 16 22:31:14 2012
;; MSG SIZE  rcvd: 133
- ---------------------------------------------

I don't know anything about the PowerDNS internals, so I could be
overlooking something (and it was late when I fixed this issue). But
hopefully this patch will help you.

Cheers,

Pieter Lexis

0 - http://datatracker.ietf.org/doc/draft-ietf-dane-protocol/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPFKpDAAoJELPqGO5ebd4jZm8P/3XpiTZUiljnTl+imqfkhgYg
TAPgGD4J8p+Y8iTpXUySG2t0NiGenWYFfoM3SKBtV13NrQlkj+dx7yM1dFea/tnT
CAtA3lE9vKtFnPeMS0LWLlHUk2b/vjDbjraG+4c3Y0snTHImK6IetzyRL3QadUdr
Nfcbg4eM2EFn8fvy8hcu4qv09RKi8vIQMGizrrtaChwXdCZZgAsTlo2qXoJNPmrP
4Ha9kmoPWUINUF/z1LAu32LfHIRKuX/GuFDX5k1QJt72ZW0W9q/wNwLMPrBHZjZ6
ZDTn8xly4FjOu6O3Cv5H8NShF2Bw2eSX8hFxfiBPUPov/w4qVUDMcrCPjVzf3o7V
dzIczloJwv9hbRYaJTZzp4EMqE20bIajWCDh2NBoo3+A4p9BelSd+uoPdUC21dkD
kpYo6d6373tFsHfazRHORcsOTlMbYwl0OnDIiOvCeO0gedMmeVW/G22hNOqcn4Ls
VxuiJsb3WhM3PFa/0pacEsNvbDaf73WXHSXr9kwVXaAd+WHaFhP/0M8iFTzdznKt
t9G4cDVn3tkp57rjgMxH4/AAMRaF+ircBZ0o+Y9JzBlN9cXlK32kJrYrCRCizmYO
VSJqDIC26ETpZ6NrioYiWpupOQeiXoA3Ntd3MN9paaiQqr9I3qqMSyoHgFUP0TEv
JAU3eqXvfyC08d90s3PV
=OJls
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pdns-tlsa.diff
Type: text/x-patch
Size: 444 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/pdns-dev/attachments/20120116/432f6c80/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pdns-tlsa.diff.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/pdns-dev/attachments/20120116/432f6c80/attachment.pgp>

More information about the Pdns-dev mailing list