[yadifa-users] HMAC-SHA256 TSIG's?

Leo Vandewoestijne yadifa at unicycle.net
Tue Aug 11 15:02:43 CEST 2015


Hi Anand,

On Mon, 10 Aug 2015, Anand Buddhdev wrote:

> The manual for version 2.1.0 says that yadifa supports the following
> TSIG algorithms:
> 
> hmac-md5
> hmac-sha1
> hmac-sha224
> hmac-sha256
> hmac-sha384
> hmac-sha512
> 
> The change log in the README file doesn't actually say anything about
> adding support for newer hash algorithms, so I infer that all these hash
> algorithms have been there from the very first version.
> 
I guess I made too fast conclusions after getting CONFIG_KEY_UNSUPPORTED_ALGORITHM,
which also occurs when having incorrect config. Not sure if it was, but that's solved;
as the manual examples tell, no quotes, apostrophes or semi-colons, and now it initiates,
but at the primary I still get:

	request has invalid signature: TSIG wtf-tsig: tsig verify failure (BADKEY)

While the same TSIG key material works fine for Bind, Knot and NSD.
I did tcpdump and dnscap on the primary and got:

[170] 2015-08-11 10:17:07.193254 [#0 tsig.pcap 0] \
	[2.x.x.43].22221 [1.x.x.23].53  \
	dns QUERY,NOERROR,44137 \
	1 wtf,IN,AXFR 0 0 \
	1 wtf-tsig,ANY,TSIG,0,[77]
[138] 2015-08-11 10:17:07.193417 [#1 tsig.pcap 0] \
	[1.x.x.23].53 [2.x.x.43].22221  \
	dns QUERY,NOTAUTH,44137,qr \
	1 wtf,IN,AXFR 0 0 \
	1 wtf-tsig,ANY,TSIG,0,[45]

That's when having in yadifad.conf:

<key>
	name wtf-tsig
	algorithm hmac-sha256
	secret Bla1Etc=
</key>  

<acl>
	transferer      key wtf-tsig
	admins          1.x.x.0/24
	master          1.x.x.23
</acl>

<zone>
	domain wtf
	type slave
	file wtf.zone
	master 1.x.x.23 port 53 key wtf-tsig
</zone>

So tcpdump tells the secondairy queried the primary for wtf
And I read this like the primary responded to the secondairy with a NOTAUTH response... (right?)
Which is incorrect (an NSD doing the same would transfer all OK).
However, yadifa tells the same:

2015-08-11 12:47:59.755602 | server   | D | axfr: wtf.: AXFR stream copy init failed: NOTAUTH
2015-08-11 12:47:59.755618 | server   | E | slave: query error for domain wtf. from master at 1.x.x.23#53: NOTAUTH

But a kdig @1.x.x.23 for "wtf" will give me answers, and NOERROR.

In stead of
	master 1.x.x.23 port 53 key wtf-tsig
I also tried
	master 1.x.x.23
Which gives a normal refused, as expected.

Anyone any logic explaination for this NOTAUTH response?

Second question;
At the moment I'm listening on only one IP,
but how do you define "query-source address" in Yadifa?



-- 

Met vriendelijke groet,
With kind regards,


Leo Vandewoestijne
dns.company


More information about the yadifa-users mailing list