Skip Menu |

This queue is for tickets about the Net-DNS CPAN distribution.

Report information
The Basics
Id: 64562
Status: resolved
Priority: 0/
Queue: Net-DNS
People
Owner: Nobody in particular
Requestors: yingdi [...] cs.ucla.edu
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in: 0.66
Fixed in: (no value)
Attachments
Kyingdi-brown.+157+53254.key
tsig.pl

History Show all quoted text
  Thu Jan 06 21:43:02 2011 yingdi [...] cs.ucla.edu - Ticket created
Subject: Problem about TSIG in Net::DNS
Dear Sir or Madam, I have a simple perl program that uses Net::DNS to create packets and sign them with a TSIG key. When I send these packets to a DNS server that I have been using for several years, the server reports that the signatures are invalid. However, when I use dig -k <key> they work fine. As you can see from the attached code, I am using an option code in the OPT record, and I don't know if this has something to do with the problem. Can you please see if you have the same problem with this code, or see if there is a programming mistake I have made? My Perl version is 5.8.9, and my OS is Mac OS X 10.6.4. Thanks a lot! Regards! Yingdi
Subject: tsig.pl
use Net::DNS; use Net::IP; #Set DNS server to query $res = Net::DNS::Resolver->new(); $res->nameservers("jupiter.cs.brown.edu"); $res->port(7979); #Set key for TSIG $key_name = "yingdi-brown"; $key = "8bz86RaXjzxHioN3fKruQg=="; #Generate TSIG $tsig = Net::DNS::RR->new("$key_name TSIG $key"); $tsig->fudge(300); #Generate a Query $query = Net::DNS::Packet->new("www.sjtu.edu.cn"); #Generate OPT @iplist = qw(202 120 2 101); my $opt = Net::DNS::RR->new( name => "", type => "OPT", class => 1024, extendedrcode => 0x00, ednsflags => 0x0000, optioncode => 0x51, optiondata => pack("C4", @iplist) ); #Push OPT into Query $query->push(additional => $opt); #Sign Query $query->sign_tsig($tsig); $query->print; #Send Query $response = $res->send($query); if($response){ foreach $_ ($response->answer){ print $_->rdatastr."\n"; } }
Subject: Kyingdi-brown.+157+53254.key
Download Kyingdi-brown.+157+53254.key
application/x-iwork-keynote-sffkey 56b

Message body not shown because it is not plain text.

  Fri Jan 07 08:43:27 2011 willem [...] plutointernet.com - Correspondence added
Dear Yingdi, Although I couldn't connect to port 7979 of jupiter.cs.brown.edu from my site, I managed to reproduce your problem with some nameservers of our own. In RR/TSIG.pm on line 142: shift(@{$newpacket->{"additional"}}); ehe first addition to the additional section is removed, in the hope that this will be the TSIG record. The TSIG record is in fact the last added record to the additional section, so it should be removed with pop: pop(@{$newpacket->{"additional"}}); When line 142 in RR/TSIG.pm was changed in this manner everything worked out fine. The fix will be Incorporated in the next release. Cheers, Willem On Thu Jan 06 21:43:02 2011, yuyingdi wrote: Show quoted text
> Dear Sir or Madam, > > I have a simple perl program that uses Net::DNS to create packets and > sign them with a TSIG key. When I send these packets to a DNS > server that I have been using for several years, the server reports > that the signatures are invalid. However, when I use dig -k <key> > they work fine. > As you can see from the attached code, I am using an option code in > the OPT record, and I don't > know if this has something to do with the problem. Can you please see > if you have the same > problem with this code, or see if there is a programming mistake I > have made? My Perl version is > 5.8.9, and my OS is Mac OS X 10.6.4. Thanks a lot! > > Regards! > > Yingdi
  Fri Jan 07 08:43:27 2011 The RT System itself - Status changed from 'new' to 'open'
  Mon Jan 10 07:55:59 2011 willem [...] cpan.org - Correspondence added
Hi Yiyingdi, Even better would be to replace line 141 and 142 of RR/TSIG.pl from: @{$newpacket->{"additional"}} = @{$packet->{"additional"}}; shift(@{$newpacket->{"additional"}}); into: @{$newpacket->{"additional"}} = grep { $_ != $self } @{$packet->{"additional"}}; This would reflect more clearly what the intention of the code is. Remove TSIG key to replace it with the signature of the whole packet (but without the TSIG key, which is secret after all). As a side effect it becomes possible to call sign_tsig even before further packet modifications, as the packet data is only signed just before it is send out. Best regards, Willem
  Mon Jan 17 08:08:30 2011 willem [...] cpan.org - Status changed from 'open' to 'resolved'