[yadifa-users] HMAC-SHA256 TSIG's?

Eric Diaz Fernandez eric.diaz.fernandez at eurid.eu
Tue Aug 11 15:19:24 CEST 2015


Dear Mr Vandewoestijne,

Thank you for your interest in YADIFA.

There is indeed an issue with the hmac-shaXXX.
The algorithm identification string sent in the message is wrong (They
should simply be "hmac-shaXXX" but they all have ".sig-alg.reg.int"
suffixed).
A fix will be released in a minor update, most likely later this week.

Best regards,

Eric

On 11/08/15 15:02, Leo Vandewoestijne wrote:
> Hi Anand,
>
> On Mon, 10 Aug 2015, Anand Buddhdev wrote:
>
>> The manual for version 2.1.0 says that yadifa supports the following
>> TSIG algorithms:
>>
>> hmac-md5
>> hmac-sha1
>> hmac-sha224
>> hmac-sha256
>> hmac-sha384
>> hmac-sha512
>>
>> The change log in the README file doesn't actually say anything about
>> adding support for newer hash algorithms, so I infer that all these hash
>> algorithms have been there from the very first version.
>>
> I guess I made too fast conclusions after getting CONFIG_KEY_UNSUPPORTED_ALGORITHM,
> which also occurs when having incorrect config. Not sure if it was, but that's solved;
> as the manual examples tell, no quotes, apostrophes or semi-colons, and now it initiates,
> but at the primary I still get:
>
> 	request has invalid signature: TSIG wtf-tsig: tsig verify failure (BADKEY)
>
> While the same TSIG key material works fine for Bind, Knot and NSD.
> I did tcpdump and dnscap on the primary and got:
>
> [170] 2015-08-11 10:17:07.193254 [#0 tsig.pcap 0] \
> 	[2.x.x.43].22221 [1.x.x.23].53  \
> 	dns QUERY,NOERROR,44137 \
> 	1 wtf,IN,AXFR 0 0 \
> 	1 wtf-tsig,ANY,TSIG,0,[77]
> [138] 2015-08-11 10:17:07.193417 [#1 tsig.pcap 0] \
> 	[1.x.x.23].53 [2.x.x.43].22221  \
> 	dns QUERY,NOTAUTH,44137,qr \
> 	1 wtf,IN,AXFR 0 0 \
> 	1 wtf-tsig,ANY,TSIG,0,[45]
>
> That's when having in yadifad.conf:
>
> <key>
> 	name wtf-tsig
> 	algorithm hmac-sha256
> 	secret Bla1Etc=
> </key>  
>
> <acl>
> 	transferer      key wtf-tsig
> 	admins          1.x.x.0/24
> 	master          1.x.x.23
> </acl>
>
> <zone>
> 	domain wtf
> 	type slave
> 	file wtf.zone
> 	master 1.x.x.23 port 53 key wtf-tsig
> </zone>
>
> So tcpdump tells the secondairy queried the primary for wtf
> And I read this like the primary responded to the secondairy with a NOTAUTH response... (right?)
> Which is incorrect (an NSD doing the same would transfer all OK).
> However, yadifa tells the same:
>
> 2015-08-11 12:47:59.755602 | server   | D | axfr: wtf.: AXFR stream copy init failed: NOTAUTH
> 2015-08-11 12:47:59.755618 | server   | E | slave: query error for domain wtf. from master at 1.x.x.23#53: NOTAUTH
>
> But a kdig @1.x.x.23 for "wtf" will give me answers, and NOERROR.
>
> In stead of
> 	master 1.x.x.23 port 53 key wtf-tsig
> I also tried
> 	master 1.x.x.23
> Which gives a normal refused, as expected.
>
> Anyone any logic explaination for this NOTAUTH response?
>
> Second question;
> At the moment I'm listening on only one IP,
> but how do you define "query-source address" in Yadifa?
>
>
>


-- 

Eric Diaz Fernandez
/R&D department /

*EUR/id/*
Woluwelaan 150
1831 Diegem - Belgium
TEL: +32 (0) 2 401 2750
eric.diazfernandez at eurid.eu <mailto:eric.diazfernandez at eurid.eu>
http://www.eurid.eu <http://www.eurid.eu/>
facebook_icon_email <https://www.facebook.com/EUregistry>
twitter_icon_email <https://twitter.com/Euregistry>

Please consider the environment before printing this email
email_sign_logo

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.yadifa.eu/archives/yadifa-users/attachments/20150811/c98a067e/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3541 bytes
Desc: not available
Url : http://www.yadifa.eu/archives/yadifa-users/attachments/20150811/c98a067e/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 933 bytes
Desc: not available
Url : http://www.yadifa.eu/archives/yadifa-users/attachments/20150811/c98a067e/attachment-0003.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 6788 bytes
Desc: not available
Url : http://www.yadifa.eu/archives/yadifa-users/attachments/20150811/c98a067e/attachment-0001.jpg 


More information about the yadifa-users mailing list