Here is what I am trying to do:
Use TSIG to validate the DNS transaction : Query and Response.
I know that TSIG is generally used between two hosts for secured zone transfers. But, I am trying to validate a simple Query from my client using TSIG. I have generated a private key at the server using dnssec-gen tool and then appended a TSIG record at the client side to the outgoing DNS query message.
I am not sure how to enable the BIND server to validate TSIG RR on the incoming query. I have just added a key configuration in the named.conf file which matches with the TSIG RR signed at the client side. When I receive the TSIG signed DNS query at the server side, the following error message is shown:
request has invalid signature: TSIG mytsigkey: tsig verify failure (BADSIG)
But, I strongly feel the MAC I have generated and appended to the DNS query record is correct (I verified it with the Slavasoft HMAC calculator). I am not sure if I am missing anything in the named.conf file.
Below is the config. Any inputs are highly appreciated.
key "mytsigkey" {
algorithm hmac-md5;
secret "AsZN6W/8HJiHoFFaLh/4xg==";
};
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query {any ;};
recursion yes;
allow-transfer {key test_tsig.com;};
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
