[nsd-users] nsd-xfer using TSIG - read_tsig_key_data()

Paul Wouters paul at xelerance.com
Tue Feb 16 01:14:18 CET 2010


Hi,

I was trying to use nsd-xfer with TSIG, and it took quite some time to figure
out, as the man page only mentions it is in the form of "tsiginfo".

I tested and it did not seem to be the same format as a key: section in the
nsd.conf file (Feature request: use the same format as the key: clause)

Looking through the source, I was confused about the simplicity of the ahum "parser" :)

read_tsig_key_data() is called with a file pointer and is suppoed to return the tsig_key_type

It uses tsig_read_line(), a small routine to read and strip a line.

The first line read is ignored, apparently it thinks this might contain the IP address
that is not used, as that is specified on the command line to nsd-xfer. It would be a
good candidate to go.

The second line reads the key name, and runs it through dname_parse(). I guess to verify
the keyname is a valid RRlabel, then stores it.

The third line reads the key algorithm. Then it runs atoi() on it, so I guess me specifying
"hmac-md5" was wrong. Looking at RFC2845 didn't give me the answer, but apparently I was
looking for "157" if I can trust tsig.h (and testing shows I can)

I would have send a patch if the man pages were kept in xml format, but
since writing in roff is only barely more fun then stabbing yourself in
the eye you will have to accept this "diff" in text form:

old text:

        -T tsiginfo
               Use  TSIG  to  verify  the zone transfer. The tsiginfo file must
               contain the TSIG key information. The file is removed upon  suc-
               cessful reading of the key.

new text:

        -T tsiginfo
               Use  TSIG  to  verify  the zone transfer. The tsiginfo file must
               contain the TSIG key information and is removed upon  suc-
               cessful reading of the key. The file must contain exactly four
               lines containing the following items in this specific order:
               <comment>
               <keyname>
               <tsig algorithm number>
               <tsig secret in base64>

               The keyname must be a valid RRlabel (alphanumeric, dots and "-" only)
               Currently supposed tsig algorithms are 157 (hmac-md5), 158 (hmac-sha1)
               and 159 (hmac-sha256)


More information about the nsd-users mailing list