Skip Menu |

This queue is for tickets about the Net-DNS CPAN distribution.

Report information
The Basics
Id: 73366
Status: resolved
Priority: 0/
Queue: Net-DNS
People
Owner: Nobody in particular
Requestors: ppisar [...] redhat.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Mon Dec 19 13:10:05 2011 ppisar [...] redhat.com - Ticket created
Subject: Signing updates for RR removal mallforms request
When transaction-signing update to remove AAAA record: $update = Net::DNS::Update->new('example.com.') $update->push(update => rr_del('foo.example.com. AAAA')); $update->sign_tsig($keyname, $keysecret); resulting request is refused by server with FORMERR. Quick view on network dump shows, the TSIG record is placed twice into the request: 18:44:35.350360 IP 127.0.0.1.54860 > 127.0.0.1.domain: 38649 update [2n] [2au] SOA? example.com. (227) ..........................keyname..........:.HMAC-MD5.SIG-ALG.REG.INT...N.x..,..t..>..0r...m.._{.......keyname..........:.HMAC-MD5.SIG-ALG.REG.INT...N.x..,..t..>..0r...m.._{...... 18:44:35.350543 IP 127.0.0.1.domain > 127.0.0.1.54860: 38649 update FormErr- 0/0/0 (29) E..9Q...@.*..........5.L.%.8.............example.com..... While valid request by nsupdate looks like: 18:40:50.067250 IP 127.0.0.1.65252 > 127.0.0.1.domain: 47231 update [1n] [1au] SOA? example.com. (122) E...Q...@.*r...........5......(..........example.com......foo.............keyname..........:.hmac-md5.sig-alg.reg.int...N.w".,...p..x...1..m...Z...... 18:40:50.228899 IP 127.0.0.1.domain > 127.0.0.1.65252: 47231 update 0/0/1 (106) E...Q...@.*..........5...r...............example.com......keyname..........:.hmac-md5.sig-alg.reg.int...N.w".,.. ",..........]........ I could attach pcap dumps, if you are interested. This problem exhibits with current development tree. Other details can be found in <https://bugzilla.redhat.com/show_bug.cgi?id=766357>.
  Tue Dec 20 07:05:17 2011 ppisar [...] redhat.com - Correspondence added
Subject: Re: [rt.cpan.org #73366] AutoReply: Signing updates for RR removal mallforms request
Date: Tue, 20 Dec 2011 13:05:04 +0100
To: Bugs in Net-DNS via RT <bug-Net-DNS [...] rt.cpan.org>
From: Petr Pisar <ppisar [...] redhat.com>
I identified the problem. I reused signed Net::DNS::Update object for removing a record and signed it again. Thus second update request carried two update records and two TSIG records in additional section: update = ;; HEADER SECTION ;; id = 55397 ;; qr = 0 opcode = UPDATE rcode = NOERROR ;; zocount = 1 prcount = 0 upcount = 2 adcount = 2 ;; ZONE SECTION (1 record) ;; example.com. IN SOA ;; PREREQUISITE SECTION (0 records) ;; UPDATE SECTION (2 records) foo.example.com. 42 IN AAAA 2001:db8:0:0:0:0:0:1 foo.example.com. 0 ANY AAAA ; no data ;; ADDITIONAL SECTION (2 records) keyname. 0 ANY TSIG HMAC-MD5.SIG-ALG.REG.INT. NOERROR keyname. 0 ANY TSIG HMAC-MD5.SIG-ALG.REG.INT. NOERROR If you think this is expected behaviour, feel free to close this bug report. I think it would be good idea make Net::DNS::{Update|Packet}->sign_tsig() replaceing existing record. -- Petr
Download (untitled)
application/pgp-signature 230b

Message body not shown because it is not plain text.

  Tue Dec 20 08:29:25 2011 willem [...] cpan.org - Correspondence added
Hi Petr, Glad you found the cause. On Tue Dec 20 07:05:17 2011, ppisar wrote: Show quoted text
> If you think this is expected behaviour, feel free to close this bug > report. > I think it would be good idea make Net::DNS::{Update|Packet}->sign_tsig() > > replaceing existing record.
Yes TSIG's can not be nested, in RFC2845 I read: 3.2. TSIG processing on incoming messages If an incoming message contains a TSIG record, it MUST be the last record in the additional section. Multiple TSIG records are not allowed. If a TSIG record is present in any other position, the packet is dropped and a response with RCODE 1 (FORMERR) MUST be returned. Personally I feel more for a warning message when a TSIG was already in the additional section. Net::DNS users should be able to construct messages that are officially considered broken...
  Tue Dec 20 08:29:26 2011 The RT System itself - Status changed from 'new' to 'open'
  Mon Feb 27 13:20:40 2012 NLNETLABS [...] cpan.org - Correspondence added
Hi Petr, I reviewed the ticket again today and decided to remove an existing TSIG when using $packet->sign_tsig like you proposed. Also a warning will be shown. Nested TSIGs are not allowed in DNS and trying to make it work anyway would need much more than simply allowing double signing in the current codebase. Thanks again for your report, -- Willem
  Mon Feb 27 13:20:41 2012 The RT System itself - System error
Sending the previous mail has failed. Please contact your admin, they can find more details in the logs.
  Mon Feb 27 13:20:41 2012 The RT System itself - System error
Sending the previous mail has failed. Please contact your admin, they can find more details in the logs.
  Mon Feb 27 13:20:41 2012 NLNETLABS [...] cpan.org - Status changed from 'open' to 'resolved'
  Mon Feb 27 13:20:41 2012 The RT System itself - System error
Sending the previous mail has failed. Please contact your admin, they can find more details in the logs.