strange TSIG problems

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

strange TSIG problems

Klaus Darilion-2
Hi!

I make some test to transfer zones from PDNS using TSIG. The strange
thing is, that AXFR + TSIG always works. But querying PDNS using TSIG
most of the time results in TSIG errors, e.g:

I query with:
dig @xx.xx.xx.x www.tld-box.com A -y test:TpCdBiXZ....

successful query:
17:25:25 Query: select algorithm, secret from tsigkeys where name=E'test'
17:25:25 Query: SELECT
content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
records WHERE disabled=false and type='SOA' and name=E'www.tld-box.com'
17:25:25 Query: SELECT
content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
records WHERE disabled=false and type='SOA' and name=E'tld-box.com'
17:25:25 Query: SELECT
content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
records WHERE disabled=false and type='NS' and name=E'www.tld-box.com'
and domain_id=219708
17:25:25 Query: SELECT
content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
records WHERE disabled=false and name=E'www.tld-box.com' and
domain_id=219708
17:25:25 Query: SELECT
content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
records WHERE disabled=false and name=E'*.tld-box.com' and domain_id=219708

failing query:
17:25:32 Query: select algorithm, secret from tsigkeys where name=E'test'
17:25:32 Packet for domain 'www.tld-box.com' denied: TSIG signature
mismatch using 'test' and algorithm 'hmac-md5.sig-alg.reg.int.'


I tested with different clients: dig, bind, drill -> same result

I tested with MD5 and SHA256 HMAC -> same result

I tested with self-built PDNS-3.4.8 on Ubuntu 10.4 and PowerDNS' static
build of 3.4.8 on Ubuntu 10.4  -> same result

I tested SOA/A queries and AXFR with TSIG: AXFR always work, SOA/A
queries mostly fail.

I tested against a self-built PDNS 4.0 (quite old) and there it seems to
work.

Any ideas what could be the problem? Was there something related fixed
in PDNS 4.0?

Thanks
Klaus

_______________________________________________
Pdns-users mailing list
[hidden email]
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: strange TSIG problems

Klaus Darilion-2
Hi!

I tried to debug the issue and here are my findings:

I used tsig-tests as client. I added lots of Log messages and dumped
various strings (TSIG MAC, message string ...) in the tsig-tests client
and in the server.

Usually, when I restart PowerDNS, the first query with TSIG works but
subsequent queries fail.

In checkForCorrectTSIG() the received HMAC is compared with the local
on. The local hmac is calculated from the secret and the 'message'. I
see that, if comparison fails, the 'message' on server side is different
to the 'message' on the client side. So, where does 'message' come from?
It comes from q->getTSIGDetails().

In getTSIGDetails() the 'message' is calculated by
makeTSIGMessageFromTSIGPacket().

One of the parameters of makeTSIGMessageFromTSIGPacket() is
d_tsigprevious. If PowerDNS calculates the 'message' correctly (e.g. on
first query after restart) then d_tsigprevious is empty. If PowerDNS
calculates a false 'message', then d_tsigprevious is not empty, but
contains the TSIG MAC of the first (the successful) query.

During AXFR d_tsigprevious is always empty as far as I see. But for
queries d_tsigprevious is set on the first TSIG query, and reused later.

It seems that some data structures are not correctly cleaned up after
the first query, and thus the previous MAC is incorrectly also used to
calculate the 'message'.

Unfortunately I have not found yet where the data structures are
initialized and cleared for every received packed. Any hints are
appreciated. (I need help ;-)

Thanks
Klaus




On 08.04.2016 19:48, Klaus Darilion wrote:

> Hi!
>
> I make some test to transfer zones from PDNS using TSIG. The strange
> thing is, that AXFR + TSIG always works. But querying PDNS using TSIG
> most of the time results in TSIG errors, e.g:
>
> I query with:
> dig @xx.xx.xx.x www.tld-box.com A -y test:TpCdBiXZ....
>
> successful query:
> 17:25:25 Query: select algorithm, secret from tsigkeys where name=E'test'
> 17:25:25 Query: SELECT
> content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
> records WHERE disabled=false and type='SOA' and name=E'www.tld-box.com'
> 17:25:25 Query: SELECT
> content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
> records WHERE disabled=false and type='SOA' and name=E'tld-box.com'
> 17:25:25 Query: SELECT
> content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
> records WHERE disabled=false and type='NS' and name=E'www.tld-box.com'
> and domain_id=219708
> 17:25:25 Query: SELECT
> content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
> records WHERE disabled=false and name=E'www.tld-box.com' and
> domain_id=219708
> 17:25:25 Query: SELECT
> content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
> records WHERE disabled=false and name=E'*.tld-box.com' and domain_id=219708
>
> failing query:
> 17:25:32 Query: select algorithm, secret from tsigkeys where name=E'test'
> 17:25:32 Packet for domain 'www.tld-box.com' denied: TSIG signature
> mismatch using 'test' and algorithm 'hmac-md5.sig-alg.reg.int.'
>
>
> I tested with different clients: dig, bind, drill -> same result
>
> I tested with MD5 and SHA256 HMAC -> same result
>
> I tested with self-built PDNS-3.4.8 on Ubuntu 10.4 and PowerDNS' static
> build of 3.4.8 on Ubuntu 10.4  -> same result
>
> I tested SOA/A queries and AXFR with TSIG: AXFR always work, SOA/A
> queries mostly fail.
>
> I tested against a self-built PDNS 4.0 (quite old) and there it seems to
> work.
>
> Any ideas what could be the problem? Was there something related fixed
> in PDNS 4.0?
>
> Thanks
> Klaus
>
> _______________________________________________
> Pdns-users mailing list
> [hidden email]
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
_______________________________________________
Pdns-users mailing list
[hidden email]
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: strange TSIG problems

Peter van Dijk
Hello Klaus,

great debugging! Can you please put this in a ticket so we don’t
forget? Thank you!

Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

On 11 Apr 2016, at 15:52, Klaus Darilion wrote:

> Hi!
>
> I tried to debug the issue and here are my findings:
>
> I used tsig-tests as client. I added lots of Log messages and dumped
> various strings (TSIG MAC, message string ...) in the tsig-tests
> client
> and in the server.
>
> Usually, when I restart PowerDNS, the first query with TSIG works but
> subsequent queries fail.
>
> In checkForCorrectTSIG() the received HMAC is compared with the local
> on. The local hmac is calculated from the secret and the 'message'. I
> see that, if comparison fails, the 'message' on server side is
> different
> to the 'message' on the client side. So, where does 'message' come
> from?
> It comes from q->getTSIGDetails().
>
> In getTSIGDetails() the 'message' is calculated by
> makeTSIGMessageFromTSIGPacket().
>
> One of the parameters of makeTSIGMessageFromTSIGPacket() is
> d_tsigprevious. If PowerDNS calculates the 'message' correctly (e.g.
> on
> first query after restart) then d_tsigprevious is empty. If PowerDNS
> calculates a false 'message', then d_tsigprevious is not empty, but
> contains the TSIG MAC of the first (the successful) query.
>
> During AXFR d_tsigprevious is always empty as far as I see. But for
> queries d_tsigprevious is set on the first TSIG query, and reused
> later.
>
> It seems that some data structures are not correctly cleaned up after
> the first query, and thus the previous MAC is incorrectly also used to
> calculate the 'message'.
>
> Unfortunately I have not found yet where the data structures are
> initialized and cleared for every received packed. Any hints are
> appreciated. (I need help ;-)
>
> Thanks
> Klaus
>
>
>
>
> On 08.04.2016 19:48, Klaus Darilion wrote:
>> Hi!
>>
>> I make some test to transfer zones from PDNS using TSIG. The strange
>> thing is, that AXFR + TSIG always works. But querying PDNS using TSIG
>> most of the time results in TSIG errors, e.g:
>>
>> I query with:
>> dig @xx.xx.xx.x www.tld-box.com A -y test:TpCdBiXZ....
>>
>> successful query:
>> 17:25:25 Query: select algorithm, secret from tsigkeys where
>> name=E'test'
>> 17:25:25 Query: SELECT
>> content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
>> records WHERE disabled=false and type='SOA' and
>> name=E'www.tld-box.com'
>> 17:25:25 Query: SELECT
>> content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
>> records WHERE disabled=false and type='SOA' and name=E'tld-box.com'
>> 17:25:25 Query: SELECT
>> content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
>> records WHERE disabled=false and type='NS' and
>> name=E'www.tld-box.com'
>> and domain_id=219708
>> 17:25:25 Query: SELECT
>> content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
>> records WHERE disabled=false and name=E'www.tld-box.com' and
>> domain_id=219708
>> 17:25:25 Query: SELECT
>> content,ttl,prio,type,domain_id,disabled::int,name,auth::int FROM
>> records WHERE disabled=false and name=E'*.tld-box.com' and
>> domain_id=219708
>>
>> failing query:
>> 17:25:32 Query: select algorithm, secret from tsigkeys where
>> name=E'test'
>> 17:25:32 Packet for domain 'www.tld-box.com' denied: TSIG signature
>> mismatch using 'test' and algorithm 'hmac-md5.sig-alg.reg.int.'
>>
>>
>> I tested with different clients: dig, bind, drill -> same result
>>
>> I tested with MD5 and SHA256 HMAC -> same result
>>
>> I tested with self-built PDNS-3.4.8 on Ubuntu 10.4 and PowerDNS'
>> static
>> build of 3.4.8 on Ubuntu 10.4  -> same result
>>
>> I tested SOA/A queries and AXFR with TSIG: AXFR always work, SOA/A
>> queries mostly fail.
>>
>> I tested against a self-built PDNS 4.0 (quite old) and there it seems
>> to
>> work.
>>
>> Any ideas what could be the problem? Was there something related
>> fixed
>> in PDNS 4.0?
>>
>> Thanks
>> Klaus
>>
>> _______________________________________________
>> Pdns-users mailing list
>> [hidden email]
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>>
> _______________________________________________
> Pdns-users mailing list
> [hidden email]
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________
Pdns-users mailing list
[hidden email]
https://mailman.powerdns.com/mailman/listinfo/pdns-users