Skip Menu |

This queue is for tickets about the Net-DNS CPAN distribution.

Report information
The Basics
Id: 91241
Status: resolved
Priority: 0/
Queue: Net-DNS
People
Owner: Nobody in particular
Requestors: bugs [...] jth.net
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Sat Dec 07 14:22:59 2013 bugs [...] jth.net - Ticket created
Subject: Net::DNS 0.73 TSIG bugs
Date: Sat, 07 Dec 2013 20:22:42 +0100
To: bug-Net-DNS [...] rt.cpan.org
From: "J. Thomsen" <bugs [...] jth.net>
There are some issues with the TSIG support in Net::DNS 0.73 1) In TSIG.pm this should be the correct code my %algbyname = map { s /[^-.A-Za-z0-9]//g; $_ } @algbyalias, @algbyname; $key =~ s /[^-.A-Za-z0-9]//g; # strip non-alphanumerics The characters '-' and '.' are stripped away conflicting with bind 9.9.4-P1 which does not do so. The result is that BIND cannot find the key name / algorithm combination in its key ring hmacsha512 as opposed to BIND's hmac-sha512 and hmacmd5sigalgregint and hmac-md5.sig-alg.reg.int 2) A strange, possible time related issue about signing updates my $res = new Net::DNS::Resolver(recurse => 0, persistent_tcp => 1); $res->nameservers($DNSserver); my $tsig = Net::DNS::RR->new( name => $key, type => 'TSIG', key => $secret, algorithm => $algorithm); $res->tsig($tsig); will only work for the first update request Apparently for every following request this below should be perfomed in order not to receive a NOTAUTH from BIND (reporting: signature failed to verify(1)) $tsig = Net::DNS::RR->new( name => $key, type => 'TSIG', key => $secret, algorithm => $algorithm); $update->push(additional => $tsig); Just reusing $tsig is not enough. - Jørgen Thomsen
  Tue Dec 10 09:58:21 2013 rwfranks [...] acm.org - Correspondence added
From: rwfranks [...] acm.org
There are two unrelated bugs in this report. Please can you file separate reports in future so that we can track and report progress on the issue. This may be more work initially, but it does prevent us losing things instead of fixing them. On Sat Dec 07 14:22:59 2013, bugs@jth.net wrote: Show quoted text
> There are some issues with the TSIG support in Net::DNS 0.73 > > 1) > In TSIG.pm ... > The characters '-' and '.' are stripped away
The stripping is done to provide a synthetic key into the %algbyname hash table. Unfortunately, the @algbyname list got trashed in the process (because $_ is not localised in map{}). The %algbyval table then gets built using the stripped algorithm names. This slipped through because the test script did not check the correctness of the algorithm name which is, as you say, important for BIND. Workaround is to swap the order of lines 51 and 52. Show quoted text
> 2) A strange, possible time related issue about signing updates
It does not appear that TCP figured in the original author's thinking. The wording of RFC2845 is distinctly vague, and until I know what it means, I am unable to promise an early resolution of this problem. Thanks for reporting these problems. Dick
  Tue Dec 10 09:58:21 2013 The RT System itself - Status changed from 'new' to 'open'
  Mon Dec 16 09:13:27 2013 rwfranks [...] acm.org - Correspondence added
From: rwfranks [...] acm.org
1) Fixed on SVN trunk. 2) Existing code does not support multi-packet TSIG as described in RFC2845. This is being looked at, but will not be resolved before next release. Dick
  Fri Feb 28 10:55:14 2014 rwfranks [...] acm.org - Correspondence added
From: rwfranks [...] acm.org
2) Fixed on SVN trunk, which you can browse in www.net-dns.org. This will appear in next release. Documentation has been added to Packet.pm to cover multi-packet TSIG sign/verify functionality. As a worked example, resolver->axfr() now does verified zone transfer automatically if you use resolver->tsig() to specify the shared key. Dick
  Wed Apr 30 10:32:34 2014 NLNETLABS [...] cpan.org - Correspondence added
Fixed in 0.75 release
  Wed Apr 30 10:32:35 2014 NLNETLABS [...] cpan.org - Status changed from 'open' to 'resolved'