[yadifa-users] DDNS successful in spite of "TSIG error with server"

Eric Diaz Fernandez eric.diazfernandez at eurid.eu
Fri Jul 13 10:46:35 CEST 2012


Dear Mr Mens,

Thank you for reporting this issue.

What occurs is that YADIFA wrongly signs replies with TSIG secrets not 
exactly 16 bytes long.

The issue has been fixed in the development branch. It will be in the 
next release of YADIFA.

Regards,

R&D

On 07/10/2012 09:24 AM, Jan-Piet Mens wrote:
> A dynamic update to Yadifa is successful, even though `nsupdate' replies
> "; TSIG error with server: tsig verify failure"
>
>          $ nsupdate -y 'hmac-md5:ytestkey:OKSjaL1x5sE=' <<EOF
>          server 127.0.0.1 5353
>          zone example.net.
>          update add foo.example.net. 60 TXT "Hi Yadifa"
>          send
>          EOF
>          ; TSIG error with server: tsig verify failure
>
>          $ dig -p 5353 @127.0.0.1 foo.example.net any
>          ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19170
>          ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 1, ADDITIONAL: 1
>          ;; WARNING: recursion requested but not available
>
>          ;; OPT PSEUDOSECTION:
>          ; EDNS: version: 0, flags:; udp: 4096
>          ;; QUESTION SECTION:
>          ;foo.example.net.               IN      ANY
>
>          ;; ANSWER SECTION:
>          foo.example.net.        60      IN      TXT     "Hi Yadifa"
>          foo.example.net.        60      IN      A       1.1.1.1
>          foo.example.net.        60      IN      A       1.1.1.2
>          foo.example.net.        60      IN      A       1.1.1.4
>
>          ;; AUTHORITY SECTION:
>          example.net.            60      IN      NS      localhost.
>
> Server config:
>
>          <main>
>                  server-port 5353
>                  listen	192.168.1.10, 127.0.0.1 port 5353
>                  uid 501
>                  daemonize false
>                  allow-query any
>          </main>
>
>          # 	dnssec-keygen -a HMAC-MD5 -b 64 -n HOST ytestkey
>          <key>
>                  name ytestkey
>                  algorithm hmac-md5
>                  secret OKSjaL1x5sE=
>          </key>
>
>          <acl>
>                  updaters	key ytestkey
>                  myhosts		192.168.1.0/24;127.0.0.1/32;::1
>          </acl>
>
>          <zone>
>                  domain example.net
>                  file masters/example.net
>                  type master
>                  allow-transfer	myhosts
>                  allow-update	updaters
>          </zone>
>
> Regards,
>
>          -JP
>
> _______________________________________________
> yadifa-users mailing list
> yadifa-users at mailinglists.yadifa.eu
> http://www.yadifa.eu/mailman/listinfo/yadifa-users


-- 
New email signature
Eric Diaz Fernandez
/System Developer/
//
*EUR/id/*//
Woluwelaan 150 //
1831 Diegem - Belgium
TEL: +32 (0) 2 401 2750
_Eric.Diaz.Fernandez at eurid.eu <mailto:Eric.Diaz.Fernandez at eurid.eu>___

http://www.eurid.eu <http://www.eurid.eu/>

Please consider the environment before printing this email.
Description: email_sign_bootjetipleftcrop

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.yadifa.eu/archives/yadifa-users/attachments/20120713/f30d5023/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 10927 bytes
Desc: not available
Url : http://www.yadifa.eu/archives/yadifa-users/attachments/20120713/f30d5023/attachment.jpe 


More information about the yadifa-users mailing list