Hello Klaus,great debugging! Can you please put this in a ticket so we don’t forget? Thank you!
Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ On 11 Apr 2016, at 15:52, Klaus Darilion wrote:
Hi! I tried to debug the issue and here are my findings: I used tsig-tests as client. I added lots of Log messages and dumpedvarious strings (TSIG MAC, message string ...) in the tsig-tests clientand in the server. Usually, when I restart PowerDNS, the first query with TSIG works but subsequent queries fail. In checkForCorrectTSIG() the received HMAC is compared with the local on. The local hmac is calculated from the secret and the 'message'. Isee that, if comparison fails, the 'message' on server side is different to the 'message' on the client side. So, where does 'message' come from?It comes from q->getTSIGDetails(). In getTSIGDetails() the 'message' is calculated by makeTSIGMessageFromTSIGPacket(). One of the parameters of makeTSIGMessageFromTSIGPacket() isd_tsigprevious. If PowerDNS calculates the 'message' correctly (e.g. onfirst query after restart) then d_tsigprevious is empty. If PowerDNS calculates a false 'message', then d_tsigprevious is not empty, but contains the TSIG MAC of the first (the successful) query. During AXFR d_tsigprevious is always empty as far as I see. But forqueries d_tsigprevious is set on the first TSIG query, and reused later.It seems that some data structures are not correctly cleaned up after the first query, and thus the previous MAC is incorrectly also used to calculate the 'message'. Unfortunately I have not found yet where the data structures are initialized and cleared for every received packed. Any hints are appreciated. (I need help ;-) Thanks Klaus On 08.04.2016 19:48, Klaus Darilion wrote:Hi! I make some test to transfer zones from PDNS using TSIG. The strange thing is, that AXFR + TSIG always works. But querying PDNS using TSIG most of the time results in TSIG errors, e.g: I query with: dig @xx.xx.xx.x www.tld-box.com A -y test:TpCdBiXZ.... successful query:17:25:25 Query: select algorithm, secret from tsigkeys where name=E'test'17:25:25 Query: SELECT content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROMrecords WHERE disabled=false and type='SOA' and name=E'www.tld-box.com'17:25:25 Query: SELECT content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM records WHERE disabled=false and type='SOA' and name=E'tld-box.com' 17:25:25 Query: SELECT content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROMrecords WHERE disabled=false and type='NS' and name=E'www.tld-box.com'and domain_id=219708 17:25:25 Query: SELECT content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM records WHERE disabled=false and name=E'www.tld-box.com' and domain_id=219708 17:25:25 Query: SELECT content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROMrecords WHERE disabled=false and name=E'*.tld-box.com' and domain_id=219708failing query:17:25:32 Query: select algorithm, secret from tsigkeys where name=E'test'17:25:32 Packet for domain 'www.tld-box.com' denied: TSIG signature mismatch using 'test' and algorithm 'hmac-md5.sig-alg.reg.int.' I tested with different clients: dig, bind, drill -> same result I tested with MD5 and SHA256 HMAC -> same resultI tested with self-built PDNS-3.4.8 on Ubuntu 10.4 and PowerDNS' staticbuild of 3.4.8 on Ubuntu 10.4 -> same result I tested SOA/A queries and AXFR with TSIG: AXFR always work, SOA/A queries mostly fail.I tested against a self-built PDNS 4.0 (quite old) and there it seems towork.Any ideas what could be the problem? Was there something related fixedin PDNS 4.0? Thanks Klaus _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users_______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
