[nsd-users] nsd-xfer using TSIG - read_tsig_key_data()

Matthijs Mekking matthijs at NLnetLabs.nl
Tue Feb 16 10:38:55 CET 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Paul,

This info is explained in the README file ;).

But fair enough, I agree that a useful pointer could also be in the manpage.


Best regards,

Matthijs

Paul Wouters wrote:
> 
> Hi,
> 
> I was trying to use nsd-xfer with TSIG, and it took quite some time to
> figure
> out, as the man page only mentions it is in the form of "tsiginfo".
> 
> I tested and it did not seem to be the same format as a key: section in the
> nsd.conf file (Feature request: use the same format as the key: clause)
> 
> Looking through the source, I was confused about the simplicity of the
> ahum "parser" :)
> 
> read_tsig_key_data() is called with a file pointer and is suppoed to
> return the tsig_key_type
> 
> It uses tsig_read_line(), a small routine to read and strip a line.
> 
> The first line read is ignored, apparently it thinks this might contain
> the IP address
> that is not used, as that is specified on the command line to nsd-xfer.
> It would be a
> good candidate to go.
> 
> The second line reads the key name, and runs it through dname_parse(). I
> guess to verify
> the keyname is a valid RRlabel, then stores it.
> 
> The third line reads the key algorithm. Then it runs atoi() on it, so I
> guess me specifying
> "hmac-md5" was wrong. Looking at RFC2845 didn't give me the answer, but
> apparently I was
> looking for "157" if I can trust tsig.h (and testing shows I can)
> 
> I would have send a patch if the man pages were kept in xml format, but
> since writing in roff is only barely more fun then stabbing yourself in
> the eye you will have to accept this "diff" in text form:
> 
> old text:
> 
>        -T tsiginfo
>               Use  TSIG  to  verify  the zone transfer. The tsiginfo
> file must
>               contain the TSIG key information. The file is removed
> upon  suc-
>               cessful reading of the key.
> 
> new text:
> 
>        -T tsiginfo
>               Use  TSIG  to  verify  the zone transfer. The tsiginfo
> file must
>               contain the TSIG key information and is removed upon  suc-
>               cessful reading of the key. The file must contain exactly
> four
>               lines containing the following items in this specific order:
>               <comment>
>               <keyname>
>               <tsig algorithm number>
>               <tsig secret in base64>
> 
>               The keyname must be a valid RRlabel (alphanumeric, dots
> and "-" only)
>               Currently supposed tsig algorithms are 157 (hmac-md5), 158
> (hmac-sha1)
>               and 159 (hmac-sha256)
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJLemetAAoJEA8yVCPsQCW5YT8H/RDbrAvr5TUpT4TnPNosFNv9
rjZaT7ZtdM4O8DnEobbZ9q/w7Kei9jZRBIz+PDvPeHt5+/mHVzu06oPks10J58wp
sipNN1DjT2YXajiUPd8sTl3MyUR7hXDj6kZLavBE7v/wW8xkcm5DV9fntSYC02tA
ngnsjKgRa1tzZYud7Ilk6gv491vk0uzgSgGsgaZXGQApkIwBZ5I3NJK1NvuVyY/0
SrjHd32v9Sz2BdpRKTqjfoQKnIZ0XCdxnVjqDFxrRnHKZBh/qIqN10lhRfn/pFZV
EDos6YOQy93BVY5HUEBVJNB0vYJ/FzGtJZLCIwaG04hbg1eZRsk1YGkaIIYI1sY=
=QGXb
-----END PGP SIGNATURE-----


More information about the nsd-users mailing list