[Pdns-users] strange TSIG problems

[Klaus Darilion]

Hi!

I make some test to transfer zones from PDNS using TSIG. The strange
thing is, that AXFR + TSIG always works. But querying PDNS using TSIG
most of the time results in TSIG errors, e.g:

I query with:
dig @xx.xx.xx.x www.tld-box.com A -y test:TpCdBiXZ....

successful query:
17:25:25 Query: select algorithm, secret from tsigkeys where name=E'test'
17:25:25 Query: SELECT
content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
records WHERE disabled=false and type='SOA' and name=E'www.tld-box.com'
17:25:25 Query: SELECT
content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
records WHERE disabled=false and type='SOA' and name=E'tld-box.com'
17:25:25 Query: SELECT
content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
records WHERE disabled=false and type='NS' and name=E'www.tld-box.com'
and domain_id=219708
17:25:25 Query: SELECT
content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
records WHERE disabled=false and name=E'www.tld-box.com' and
domain_id=219708
17:25:25 Query: SELECT
content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
records WHERE disabled=false and name=E'*.tld-box.com' and domain_id=219708

failing query:
17:25:32 Query: select algorithm, secret from tsigkeys where name=E'test'
17:25:32 Packet for domain 'www.tld-box.com' denied: TSIG signature
mismatch using 'test' and algorithm 'hmac-md5.sig-alg.reg.int.'


I tested with different clients: dig, bind, drill -> same result

I tested with MD5 and SHA256 HMAC -> same result

I tested with self-built PDNS-3.4.8 on Ubuntu 10.4 and PowerDNS' static
build of 3.4.8 on Ubuntu 10.4  -> same result

I tested SOA/A queries and AXFR with TSIG: AXFR always work, SOA/A
queries mostly fail.

I tested against a self-built PDNS 4.0 (quite old) and there it seems to
work.

Any ideas what could be the problem? Was there something related fixed
in PDNS 4.0?

Thanks
Klaus