nsd users - Feb 2010 - nsd-xfer using TSIG - read_tsig_key_data()

Hi,

I was trying to use nsd-xfer with TSIG, and it took quite some time to figure
out, as the man page only mentions it is in the form of "tsiginfo".

I tested and it did not seem to be the same format as a key: section in the
nsd.conf file (Feature request: use the same format as the key: clause)

Looking through the source, I was confused about the simplicity of the ahum
"parser" :)

read_tsig_key_data() is called with a file pointer and is suppoed to return the
tsig_key_type

It uses tsig_read_line(), a small routine to read and strip a line.

The first line read is ignored, apparently it thinks this might contain the IP
address
that is not used, as that is specified on the command line to nsd-xfer. It would
be a
good candidate to go.

The second line reads the key name, and runs it through dname_parse(). I guess
to verify
the keyname is a valid RRlabel, then stores it.

The third line reads the key algorithm. Then it runs atoi() on it, so I guess me
specifying
"hmac-md5" was wrong. Looking at RFC2845 didn't give me the
answer, but apparently I was
looking for "157" if I can trust tsig.h (and testing shows I can)

I would have send a patch if the man pages were kept in xml format, but
since writing in roff is only barely more fun then stabbing yourself in
the eye you will have to accept this "diff" in text form:

old text:

        -T tsiginfo
               Use  TSIG  to  verify  the zone transfer. The tsiginfo file must
               contain the TSIG key information. The file is removed upon  suc-
               cessful reading of the key.

new text:

        -T tsiginfo
               Use  TSIG  to  verify  the zone transfer. The tsiginfo file must
               contain the TSIG key information and is removed upon  suc-
               cessful reading of the key. The file must contain exactly four
               lines containing the following items in this specific order:
               <comment>
               <keyname>
               <tsig algorithm number>
               <tsig secret in base64>

               The keyname must be a valid RRlabel (alphanumeric, dots and
"-" only)
               Currently supposed tsig algorithms are 157 (hmac-md5), 158
(hmac-sha1)
               and 159 (hmac-sha256)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Paul,

This info is explained in the README file ;).

But fair enough, I agree that a useful pointer could also be in the manpage.


Best regards,

Matthijs

Paul Wouters wrote:
> 
> Hi,
> 
> I was trying to use nsd-xfer with TSIG, and it took quite some time to
> figure
> out, as the man page only mentions it is in the form of
"tsiginfo".
> 
> I tested and it did not seem to be the same format as a key: section in the
> nsd.conf file (Feature request: use the same format as the key: clause)
> 
> Looking through the source, I was confused about the simplicity of the
> ahum "parser" :)
> 
> read_tsig_key_data() is called with a file pointer and is suppoed to
> return the tsig_key_type
> 
> It uses tsig_read_line(), a small routine to read and strip a line.
> 
> The first line read is ignored, apparently it thinks this might contain
> the IP address
> that is not used, as that is specified on the command line to nsd-xfer.
> It would be a
> good candidate to go.
> 
> The second line reads the key name, and runs it through dname_parse(). I
> guess to verify
> the keyname is a valid RRlabel, then stores it.
> 
> The third line reads the key algorithm. Then it runs atoi() on it, so I
> guess me specifying
> "hmac-md5" was wrong. Looking at RFC2845 didn't give me the
answer, but
> apparently I was
> looking for "157" if I can trust tsig.h (and testing shows I can)
> 
> I would have send a patch if the man pages were kept in xml format, but
> since writing in roff is only barely more fun then stabbing yourself in
> the eye you will have to accept this "diff" in text form:
> 
> old text:
> 
>        -T tsiginfo
>               Use  TSIG  to  verify  the zone transfer. The tsiginfo
> file must
>               contain the TSIG key information. The file is removed
> upon  suc-
>               cessful reading of the key.
> 
> new text:
> 
>        -T tsiginfo
>               Use  TSIG  to  verify  the zone transfer. The tsiginfo
> file must
>               contain the TSIG key information and is removed upon  suc-
>               cessful reading of the key. The file must contain exactly
> four
>               lines containing the following items in this specific order:
>               <comment>
>               <keyname>
>               <tsig algorithm number>
>               <tsig secret in base64>
> 
>               The keyname must be a valid RRlabel (alphanumeric, dots
> and "-" only)
>               Currently supposed tsig algorithms are 157 (hmac-md5), 158
> (hmac-sha1)
>               and 159 (hmac-sha256)
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJLemetAAoJEA8yVCPsQCW5YT8H/RDbrAvr5TUpT4TnPNosFNv9
rjZaT7ZtdM4O8DnEobbZ9q/w7Kei9jZRBIz+PDvPeHt5+/mHVzu06oPks10J58wp
sipNN1DjT2YXajiUPd8sTl3MyUR7hXDj6kZLavBE7v/wW8xkcm5DV9fntSYC02tA
ngnsjKgRa1tzZYud7Ilk6gv491vk0uzgSgGsgaZXGQApkIwBZ5I3NJK1NvuVyY/0
SrjHd32v9Sz2BdpRKTqjfoQKnIZ0XCdxnVjqDFxrRnHKZBh/qIqN10lhRfn/pFZV
EDos6YOQy93BVY5HUEBVJNB0vYJ/FzGtJZLCIwaG04hbg1eZRsk1YGkaIIYI1sY=QGXb
-----END PGP SIGNATURE-----