Hi! I tried to debug the issue and here are my findings:
I used tsig-tests as client. I added lots of Log messages and dumped various strings (TSIG MAC, message string ...) in the tsig-tests client and in the server. Usually, when I restart PowerDNS, the first query with TSIG works but subsequent queries fail. In checkForCorrectTSIG() the received HMAC is compared with the local on. The local hmac is calculated from the secret and the 'message'. I see that, if comparison fails, the 'message' on server side is different to the 'message' on the client side. So, where does 'message' come from? It comes from q->getTSIGDetails(). In getTSIGDetails() the 'message' is calculated by makeTSIGMessageFromTSIGPacket(). One of the parameters of makeTSIGMessageFromTSIGPacket() is d_tsigprevious. If PowerDNS calculates the 'message' correctly (e.g. on first query after restart) then d_tsigprevious is empty. If PowerDNS calculates a false 'message', then d_tsigprevious is not empty, but contains the TSIG MAC of the first (the successful) query. During AXFR d_tsigprevious is always empty as far as I see. But for queries d_tsigprevious is set on the first TSIG query, and reused later. It seems that some data structures are not correctly cleaned up after the first query, and thus the previous MAC is incorrectly also used to calculate the 'message'. Unfortunately I have not found yet where the data structures are initialized and cleared for every received packed. Any hints are appreciated. (I need help ;-) Thanks Klaus On 08.04.2016 19:48, Klaus Darilion wrote: > Hi! > > I make some test to transfer zones from PDNS using TSIG. The strange > thing is, that AXFR + TSIG always works. But querying PDNS using TSIG > most of the time results in TSIG errors, e.g: > > I query with: > dig @xx.xx.xx.x www.tld-box.com A -y test:TpCdBiXZ.... > > successful query: > 17:25:25 Query: select algorithm, secret from tsigkeys where name=E'test' > 17:25:25 Query: SELECT > content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM > records WHERE disabled=false and type='SOA' and name=E'www.tld-box.com' > 17:25:25 Query: SELECT > content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM > records WHERE disabled=false and type='SOA' and name=E'tld-box.com' > 17:25:25 Query: SELECT > content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM > records WHERE disabled=false and type='NS' and name=E'www.tld-box.com' > and domain_id=219708 > 17:25:25 Query: SELECT > content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM > records WHERE disabled=false and name=E'www.tld-box.com' and > domain_id=219708 > 17:25:25 Query: SELECT > content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM > records WHERE disabled=false and name=E'*.tld-box.com' and domain_id=219708 > > failing query: > 17:25:32 Query: select algorithm, secret from tsigkeys where name=E'test' > 17:25:32 Packet for domain 'www.tld-box.com' denied: TSIG signature > mismatch using 'test' and algorithm 'hmac-md5.sig-alg.reg.int.' > > > I tested with different clients: dig, bind, drill -> same result > > I tested with MD5 and SHA256 HMAC -> same result > > I tested with self-built PDNS-3.4.8 on Ubuntu 10.4 and PowerDNS' static > build of 3.4.8 on Ubuntu 10.4 -> same result > > I tested SOA/A queries and AXFR with TSIG: AXFR always work, SOA/A > queries mostly fail. > > I tested against a self-built PDNS 4.0 (quite old) and there it seems to > work. > > Any ideas what could be the problem? Was there something related fixed > in PDNS 4.0? > > Thanks > Klaus > > _______________________________________________ > Pdns-users mailing list > [email protected] > https://mailman.powerdns.com/mailman/listinfo/pdns-users > _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
