On Thu, Feb 11, 2016 at 05:55:09PM +0000, Randy McEoin wrote: > I think this is a bug in PowerDNS bought to light by another bug in Kea. > > When Kea constructs a DDNS query packet with a TSIG, it mistakenly sets the > Original ID to 0 instead of the Transaction Id. The TSIG MAC is calculated > correctly, so PowerDNS considers the packet valid. > > The breaking bug is on the PowerDNS side. When PowerDNS constructs the DDNS > response packet, it appears to use the unmodified real Transaction ID in the > calculation of the HMAC. It then proceeds to append a TSIG with the Original > ID provided by the query of 0 which is not equal to the Transaction ID used > in the calculation. So Kea legitimately detects a BADKEY in the response. > > For comparison, I looked at a packet capture of Kea DDNS'ing with BIND. > Of course Kea still uses 0 for the Original ID, but what's different is > that BIND's response uses an Original ID == Transaction ID. It does not > use the Original ID of 0 that Kea specified in the query.
Hi Randy, We've assigned https://github.com/PowerDNS/pdns/issues/3362 to your bug. Thanks! Will keep you posted about the solution. Bert _______________________________________________ Kea-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/kea-users
