Skip Menu |

This queue is for tickets about the Net-DNS CPAN distribution.

Report information
The Basics
Id: 102131
Status: resolved
Priority: 0/
Queue: Net-DNS
People
Owner: Nobody in particular
Requestors: nrittner [...] atlas-brb.net
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Sun Feb 15 08:11:35 2015 nrittner [...] atlas-brb.net - Ticket created
Subject: calling "tsig" method on resolver object results in error
Date: Sun, 15 Feb 2015 14:11:05 +0100
To: bug-Net-DNS [...] rt.cpan.org
From: Nico Rittner <nrittner [...] atlas-brb.net>
hello, recently the linux-distribution i use (recent gentoo) upgraded the net-dns package to version 0.74 (from 0.6xx). from this time signing queries and updates does not work anymore. former i used: $resolver = Net::DNS::Resolver->new(...); $resolver->tsig( $keyname, $key ); ($key as base64 representation) or $resolver->tsig( Net::DNS::RR->new( "$keyname TSIG $key" ) ); calling tsig now results in an expeption: "zone file representation not defined for TSIG at /usr/lib/perl5/vendor_perl/5.18.2/i686-linux/Net/DNS/RR.pm line 683." according to http://search.cpan.org/~nlnetlabs/Net-DNS-0.74/lib/Net/DNS/Resolver.pm#tsig my usage of tsig() should be correct. using another way of pre-creating the tsig RR-Object with: my $tsig = Net::DNS::RR->new( type => "TSIG", name => "KEYNAME", key => "KEY" ); $resolver->tsig($tsig); results in BADSIG Errors in BIND at server side. using $tsig for signing update packets only with: my $update = Net::DNS::Update->new( ... ); $update->sign_tsig($tsig); also does not work. What is the correct way to use tsig for both query and update packets in Net::DNS >= V0.74 ? Perl Version is 5.18.2 . thanks a lot for your hints. Nico
  Tue Feb 17 22:36:05 2015 rwfranks [...] acm.org - Correspondence added
From: rwfranks [...] acm.org
On Sun Feb 15 08:11:35 2015, nrittner@atlas-brb.net wrote: Show quoted text
> recently the linux-distribution i use (recent gentoo) > upgraded the net-dns package to version 0.74 (from 0.6xx).
The world has moved on a long way since then! Show quoted text
> $resolver->tsig( $keyname, $key );
use Net::DNS; my $resolver = new Net::DNS::Resolver( debug => 1, nameservers => ['127.0.0.1'] ); $resolver->tsig( 'hmac-md5.example.', 'ARDJZgtuTDzAWeSGYPAu9uJUkX0=' ); my $query = new Net::DNS::Packet( 'www.example.com', 'A' ); my $reply = $resolver->send($query); my $verified = $reply->verify($query); print "*** reply ", $verified ? "verified" : "not verified", " ***\n"; This is the historical way of doing things and still works. Unfortunately, MD5 is the only algorithm available with this method. If this does not work for you, the most likely reason is incorrect specification of the key in BIND. The config file should contain something like: key hmac-md5.example { algorithm HMAC-MD5; secret "ARDJZgtuTDzAWeSGYPAu9uJUkX0="; }; Show quoted text
> $resolver->tsig( Net::DNS::RR->new( "$keyname TSIG $key" ) );
If you read the documentation for the TSIG RR, you will see that there is a create() method. There is now no string representation of TSIG records. The old format had no means of specifying the signing algorithm, which these days is almost never MD5. The exception is raised in RR->new, not in Resolver->tsig. Show quoted text
> according to http://search.cpan.org/~nlnetlabs/Net-DNS- > 0.74/lib/Net/DNS/Resolver.pm#tsig
You will need to read the documentation for Net::DNS::Packet and Net::DNS::RR::TSIG to understand how this works. Show quoted text
> using another way of pre-creating the tsig RR-Object with: > > my $tsig = Net::DNS::RR->new( type => "TSIG", name => "KEYNAME", key > => "KEY" ); > $resolver->tsig($tsig); > > results in BADSIG Errors in BIND at server side. > > using $tsig for signing update packets only with: > > my $update = Net::DNS::Update->new( ... ); > $update->sign_tsig($tsig); >
These probably fail because the key is not properly defined in the BIND config file. But this is a needlessly difficult way of getting your query packets or updates signed. Show quoted text
> What is the correct way to use tsig for both > query and update packets in Net::DNS >= V0.74 ?
There is rarely any need to handle TSIG records directly. The resolver->tsig method now accepts the filename of a key generated using the dnssec-keygen program which comes with BIND. use Net::DNS; my $resolver = new Net::DNS::Resolver( debug => 1, nameservers => ['127.0.0.1'] ); my $key = 'keypath/Khmac-sha1.example.+161+39562.private'; $resolver->tsig($key); my $query = new Net::DNS::Packet( 'www.example.com', 'A' ); my $reply = $resolver->send($query); my $verified = $reply->verify($query); print "*** reply ", $verified ? "verified" : "not verified", " ***\n"; It is _very_ important that the filename created by dnssec-keygen is not changed. The examples above have been tested using Net::DNS 0.75 and later. There is no support for automatic signing in 0.74 and earlier. The latest version is 0.82. --Dick
  Tue Feb 17 22:36:06 2015 The RT System itself - Status changed from 'new' to 'open'
  Wed Feb 18 01:36:12 2015 nrittner [...] layer23.de - Correspondence added
Subject: Re: [rt.cpan.org #102131] calling "tsig" method on resolver object results in error
Date: Wed, 18 Feb 2015 07:35:47 +0100
To: bug-Net-DNS [...] rt.cpan.org
From: Nico Rittner <nrittner [...] layer23.de>
Am 18.02.2015 um 04:36 schrieb Dick Franks via RT: Show quoted text
> The world has moved on a long way since then!
hello, after upgrading to version 0.82 everything works as expected <http://dict.leo.org/#/search=expected&searchLoc=0&resultOrder=basic&multiwordShowSingle=on>. see this thread on stackoverflow: http://stackoverflow.com/questions/28538858/perl-module-netdns-calling-tsig-method-on-resolver-object-results-in-error thanks a lot!
  Wed Feb 18 06:09:50 2015 NLNETLABS [...] cpan.org - Status changed from 'open' to 'resolved'