[Pdns-users] strange TSIG problems

Peter van Dijk peter.van.dijk at powerdns.com
Mon Apr 11 17:11:21 UTC 2016 

Hello Klaus,

great debugging! Can you please put this in a ticket so we don’t 
forget? Thank you!

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

On 11 Apr 2016, at 15:52, Klaus Darilion wrote:

> Hi!
>
> I tried to debug the issue and here are my findings:
>
> I used tsig-tests as client. I added lots of Log messages and dumped
> various strings (TSIG MAC, message string ...) in the tsig-tests 
> client
> and in the server.
>
> Usually, when I restart PowerDNS, the first query with TSIG works but
> subsequent queries fail.
>
> In checkForCorrectTSIG() the received HMAC is compared with the local
> on. The local hmac is calculated from the secret and the 'message'. I
> see that, if comparison fails, the 'message' on server side is 
> different
> to the 'message' on the client side. So, where does 'message' come 
> from?
> It comes from q->getTSIGDetails().
>
> In getTSIGDetails() the 'message' is calculated by
> makeTSIGMessageFromTSIGPacket().
>
> One of the parameters of makeTSIGMessageFromTSIGPacket() is
> d_tsigprevious. If PowerDNS calculates the 'message' correctly (e.g. 
> on
> first query after restart) then d_tsigprevious is empty. If PowerDNS
> calculates a false 'message', then d_tsigprevious is not empty, but
> contains the TSIG MAC of the first (the successful) query.
>
> During AXFR d_tsigprevious is always empty as far as I see. But for
> queries d_tsigprevious is set on the first TSIG query, and reused 
> later.
>
> It seems that some data structures are not correctly cleaned up after
> the first query, and thus the previous MAC is incorrectly also used to
> calculate the 'message'.
>
> Unfortunately I have not found yet where the data structures are
> initialized and cleared for every received packed. Any hints are
> appreciated. (I need help ;-)
>
> Thanks
> Klaus
>
>
>
>
> On 08.04.2016 19:48, Klaus Darilion wrote:
>> Hi!
>>
>> I make some test to transfer zones from PDNS using TSIG. The strange
>> thing is, that AXFR + TSIG always works. But querying PDNS using TSIG
>> most of the time results in TSIG errors, e.g:
>>
>> I query with:
>> dig @xx.xx.xx.x www.tld-box.com A -y test:TpCdBiXZ....
>>
>> successful query:
>> 17:25:25 Query: select algorithm, secret from tsigkeys where 
>> name=E'test'
>> 17:25:25 Query: SELECT
>> content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
>> records WHERE disabled=false and type='SOA' and 
>> name=E'www.tld-box.com'
>> 17:25:25 Query: SELECT
>> content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
>> records WHERE disabled=false and type='SOA' and name=E'tld-box.com'
>> 17:25:25 Query: SELECT
>> content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
>> records WHERE disabled=false and type='NS' and 
>> name=E'www.tld-box.com'
>> and domain_id=219708
>> 17:25:25 Query: SELECT
>> content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
>> records WHERE disabled=false and name=E'www.tld-box.com' and
>> domain_id=219708
>> 17:25:25 Query: SELECT
>> content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
>> records WHERE disabled=false and name=E'*.tld-box.com' and 
>> domain_id=219708
>>
>> failing query:
>> 17:25:32 Query: select algorithm, secret from tsigkeys where 
>> name=E'test'
>> 17:25:32 Packet for domain 'www.tld-box.com' denied: TSIG signature
>> mismatch using 'test' and algorithm 'hmac-md5.sig-alg.reg.int.'
>>
>>
>> I tested with different clients: dig, bind, drill -> same result
>>
>> I tested with MD5 and SHA256 HMAC -> same result
>>
>> I tested with self-built PDNS-3.4.8 on Ubuntu 10.4 and PowerDNS' 
>> static
>> build of 3.4.8 on Ubuntu 10.4  -> same result
>>
>> I tested SOA/A queries and AXFR with TSIG: AXFR always work, SOA/A
>> queries mostly fail.
>>
>> I tested against a self-built PDNS 4.0 (quite old) and there it seems 
>> to
>> work.
>>
>> Any ideas what could be the problem? Was there something related 
>> fixed
>> in PDNS 4.0?
>>
>> Thanks
>> Klaus
>>
>> _______________________________________________
>> Pdns-users mailing list
>> Pdns-users at mailman.powerdns.com
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

More information about the Pdns-users mailing list