[Pdns-users] strange TSIG problems
Klaus Darilion
klaus.mailinglists at pernau.at
Mon Apr 11 13:52:11 UTC 2016
Hi!
I tried to debug the issue and here are my findings:
I used tsig-tests as client. I added lots of Log messages and dumped
various strings (TSIG MAC, message string ...) in the tsig-tests client
and in the server.
Usually, when I restart PowerDNS, the first query with TSIG works but
subsequent queries fail.
In checkForCorrectTSIG() the received HMAC is compared with the local
on. The local hmac is calculated from the secret and the 'message'. I
see that, if comparison fails, the 'message' on server side is different
to the 'message' on the client side. So, where does 'message' come from?
It comes from q->getTSIGDetails().
In getTSIGDetails() the 'message' is calculated by
makeTSIGMessageFromTSIGPacket().
One of the parameters of makeTSIGMessageFromTSIGPacket() is
d_tsigprevious. If PowerDNS calculates the 'message' correctly (e.g. on
first query after restart) then d_tsigprevious is empty. If PowerDNS
calculates a false 'message', then d_tsigprevious is not empty, but
contains the TSIG MAC of the first (the successful) query.
During AXFR d_tsigprevious is always empty as far as I see. But for
queries d_tsigprevious is set on the first TSIG query, and reused later.
It seems that some data structures are not correctly cleaned up after
the first query, and thus the previous MAC is incorrectly also used to
calculate the 'message'.
Unfortunately I have not found yet where the data structures are
initialized and cleared for every received packed. Any hints are
appreciated. (I need help ;-)
Thanks
Klaus
On 08.04.2016 19:48, Klaus Darilion wrote:
> Hi!
>
> I make some test to transfer zones from PDNS using TSIG. The strange
> thing is, that AXFR + TSIG always works. But querying PDNS using TSIG
> most of the time results in TSIG errors, e.g:
>
> I query with:
> dig @xx.xx.xx.x www.tld-box.com A -y test:TpCdBiXZ....
>
> successful query:
> 17:25:25 Query: select algorithm, secret from tsigkeys where name=E'test'
> 17:25:25 Query: SELECT
> content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
> records WHERE disabled=false and type='SOA' and name=E'www.tld-box.com'
> 17:25:25 Query: SELECT
> content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
> records WHERE disabled=false and type='SOA' and name=E'tld-box.com'
> 17:25:25 Query: SELECT
> content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
> records WHERE disabled=false and type='NS' and name=E'www.tld-box.com'
> and domain_id=219708
> 17:25:25 Query: SELECT
> content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
> records WHERE disabled=false and name=E'www.tld-box.com' and
> domain_id=219708
> 17:25:25 Query: SELECT
> content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
> records WHERE disabled=false and name=E'*.tld-box.com' and domain_id=219708
>
> failing query:
> 17:25:32 Query: select algorithm, secret from tsigkeys where name=E'test'
> 17:25:32 Packet for domain 'www.tld-box.com' denied: TSIG signature
> mismatch using 'test' and algorithm 'hmac-md5.sig-alg.reg.int.'
>
>
> I tested with different clients: dig, bind, drill -> same result
>
> I tested with MD5 and SHA256 HMAC -> same result
>
> I tested with self-built PDNS-3.4.8 on Ubuntu 10.4 and PowerDNS' static
> build of 3.4.8 on Ubuntu 10.4 -> same result
>
> I tested SOA/A queries and AXFR with TSIG: AXFR always work, SOA/A
> queries mostly fail.
>
> I tested against a self-built PDNS 4.0 (quite old) and there it seems to
> work.
>
> Any ideas what could be the problem? Was there something related fixed
> in PDNS 4.0?
>
> Thanks
> Klaus
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
More information about the Pdns-users
mailing list