Skip Menu |

This queue is for tickets about the Net-DNS CPAN distribution.

Report information
The Basics
Id: 99531
Status: resolved
Priority: 0/
Queue: Net-DNS
People
Owner: Nobody in particular
Requestors: tlhackque [...] yahoo.com
Cc:
AdminCc:
Bug Information
Severity: Normal
Broken in: 0.80
Fixed in: (no value)

History Show all quoted text
  Thu Oct 16 11:17:40 2014 tlhackque [...] yahoo.com - Ticket created
Subject: Resolver doc error - when is a 'bug' a 'bug'?
The POD for Resolver.pm states (under BUGS): "The current implementation supports TSIG only on outgoing packets. No validation of server replies is performed. " This isn't true anymore - at least, axfr calls $reply->verify if the query is signed. See Resolver::Base. Other queries don't seem to, although one can call $reply->verify manually. So (a) TSIG is now supported on replies. And (b) validation of AXFR replies is automagic. I'm not sure whether failure to automatically validate non-AXFR replies is a 'bug'; one might think so. However, at the moment the automatic axfr() calls are returning BADSIG when they should not - and it would be nice to be able to turn them off until that's debugged...so the automagic validation of AXFR may be bug. (Why I'm seeing BADSIG on a query that dig likes is a separate issue.)
  Thu Oct 16 16:17:08 2014 rwfranks [...] acm.org - Correspondence added
From: rwfranks [...] acm.org
On Thu Oct 16 11:17:40 2014, tlhackque wrote: Show quoted text
> The POD for Resolver.pm states (under BUGS): > > "The current implementation supports TSIG only on outgoing packets. > No validation of server replies is performed. > " > > This isn't true anymore
Agree. That sentence is no longer appropriate. Show quoted text
> I'm not sure whether failure to automatically validate non-AXFR > replies is a 'bug'; one might think so.
The original author clearly did. IMHO the user application should perform the validation itself. The justification for ignoring my own general opinion when implementing axfr() was the impossibility of doing TSIG validation across a complete multi-packet response. The end user has no access to the underlying packets. Show quoted text
> However, at the moment the > automatic axfr() calls are returning BADSIG when they should not - and > it would be nice to be able to turn them off until that's > debugged...so the automagic validation of AXFR may be bug. >
You turn it off by not turning it on! axfr() multi-packet TSIG has been tested using BIND both here and independently by a DNS expert at ISC. If it says BADSIG, it probably is. If you are claiming otherwise, you will need to raise a separate RT# complete with key file and captured wire-format data. PS: If you used a .private key file to create the outgoing TSIG record, try using the corresponding .key file instead. TSIG keys are symmetric so both files are functionally equivalent.
  Thu Oct 16 16:17:09 2014 The RT System itself - Status changed from 'new' to 'open'
  Sat Oct 18 08:44:31 2014 tlhackque [...] yahoo.com - Correspondence added
From: tlhackque [...] yahoo.com
On Thu Oct 16 16:17:08 2014, rwfranks@acm.org wrote: Show quoted text
> On Thu Oct 16 11:17:40 2014, tlhackque wrote:
> > The POD for Resolver.pm states (under BUGS): > > > > "The current implementation supports TSIG only on outgoing packets. > > No validation of server replies is performed. > > " > > > > This isn't true anymore
> > Agree. That sentence is no longer appropriate. >
> > I'm not sure whether failure to automatically validate non-AXFR > > replies is a 'bug'; one might think so.
> > The original author clearly did. > IMHO the user application should perform the validation itself. > > The justification for ignoring my own general opinion when > implementing axfr() was the impossibility of doing TSIG validation > across a complete multi-packet response. The end user has no access to > the underlying packets. >
Agree. Which is why a control would be useful, at least for debugging and for working-around bugs involving the reply signature. E.g. $resolver->validate_axfr(0); Show quoted text
>
> > However, at the moment the > > automatic axfr() calls are returning BADSIG when they should not - > > and > > it would be nice to be able to turn them off until that's > > debugged...so the automagic validation of AXFR may be bug. > >
> You turn it off by not turning it on!
You can't do that in my case - BIND config uses TSIG to select the view and to allow AXFR. So the request MUST be signed. In this case, Net::DNS is not validating the reply correctly, but I have to patch Net::DNS to turn off the verification triggered by the signed request. Show quoted text
> > axfr() multi-packet TSIG has been tested using BIND both here and > independently by a DNS expert at ISC. >
The review missed a problem :-( Show quoted text
> If it says BADSIG, it probably is. > If you are claiming otherwise, you will need to raise a separate RT# > complete with key file and captured wire-format data.
That was always my intent. It took a while to find the root cause (in Net::DNS). This RT was for the doc issue, and to note that a control for automagic validation would be useful. See RT 99571 for all the details of the axfr bug. Show quoted text
> > PS: If you used a .private key file to create the outgoing TSIG > record, try using the corresponding .key file instead. TSIG keys are > symmetric so both files are functionally equivalent.
Thanks for the hint, but that's not the problem that I encountered.
  Mon Oct 27 06:13:52 2014 NLNETLABS [...] cpan.org - Correspondence added
Thanks tlhackque. This if fixed in the upcoming 0.81
  Mon Oct 27 06:13:57 2014 NLNETLABS [...] cpan.org - Status changed from 'open' to 'resolved'