2

recently the linux-distribution i use (recent gentoo) upgraded the net-dns package to version 0.74 (from 0.66). from this time using TSIG on queries and updates does not work anymore. former i used:

$resolver = Net::DNS::Resolver->new(...);

$resolver->tsig( $keyname, $key );
# ($key as base64 representation)

or

$resolver->tsig( Net::DNS::RR->new( "$keyname TSIG $key" ) );

calling tsig now results in an expeption:

"zone file representation not defined for TSIG at /usr/lib/perl5/vendor_perl/5.18.2/i686-linux/Net/DNS/RR.pm line 683."

according to http://search.cpan.org/~nlnetlabs/Net-DNS-0.74/lib/Net/DNS/Resolver.pm#tsig

tsig() - Get or set the TSIG record used to automatically sign outgoing queries and updates.

my usage of tsig() should be correct.

using another way of pre-creating the tsig RR-Object with:

my $tsig = Net::DNS::RR->new( type => "TSIG", name => "KEYNAME", key => "KEY" );
$resolver->tsig($tsig);

results in "tsig verify failure (BADSIG)" Errors in BIND at server side.

using $tsig for update packets only:

my $update = Net::DNS::Update->new( ... );
$update->sign_tsig($tsig);

also does not work (BADSIG); the 'simpler' way

$update->sign_tsig($keyname, $key);

does work.

What is the correct way to use TSIG for both query and update packets with the resolver object in Net::DNS >= V0.74 ?

Perl Version is 5.18.2 .

what am i doing wrong ? - thanks a lot for your hints.

Nico Rittner
  • 189
  • 5
  • Did you read the documentation for 0.74? It requires [some additional setup](https://metacpan.org/pod/release/NLNETLABS/Net-DNS-0.74/lib/Net/DNS/RR/TSIG.pm#Configuring-BIND-Nameserver) – David K-J Feb 16 '15 at 11:47
  • Yes, i did. These config lines were and are present. Without them _named_ would not be able to understand TSIG queries/updates at all (BADKEY errors) - also from clients with Net::DNS versions below 0.74 (which still work with this setup) – Nico Rittner Feb 16 '15 at 12:55
  • See https://www.mail-archive.com/gentoo-commits@lists.gentoo.org/msg88330.html for a similar problem which was resolved by using a newer version of Net::DNS – Steffen Ullrich Feb 16 '15 at 17:27

1 Answers1

2

The TSIG functionality in Net::DNS had a complete rewrite around 0.74, and most releases since then have had bugfixes for some aspect of TSIG. I'd suggest that you try to forget how it used to work, re-read all the relevant documentation and then change your own code as needed.

Also, 0.74 is (in this context) pretty old. It would probably be a good idea to upgrade to something closer to current (which is 0.82 when I write this).

Calle Dybedahl
  • 5,228
  • 2
  • 18
  • 22
  • ok, version 0.82 works. i already changed the code before to match the docs of 0.74. after upgrading to 0.82 the code started working without any further changes. also some features/behaviour that should work in 0.74 according to the docs of 0.74 is'nt part of the docs of 0.82 anymore. i relied on 0.74 to be stable enough, because it is in the stable branch of gentoo now. thanks a lot ! – Nico Rittner Feb 16 '15 at 13:59