Signing Secure dynamic updates

[Mark_Andrews at isc.org]

> 
> Hi
> 
> I am trying to write a small dynamic DNS client that will only update
> BIND zone files securely.
> nsupdate works succesfully with my configuration of BIND9.2. (secure
> and insecure updates work with nsupdate).
> 
> I have tried out insecure updates (by configuring BIND9 as
> allow-update {IP address}) with my dnyamic DNS client. These insecure
> updates work.
> 
> When I try to sign the updates with TSIG RR, I get a tsig verify error
> in my /var/log/messages. (NOTAUTH and BADSIG errors are there in the
> packet received from the BIND server)
> As I understand from RFC2845 there are three stages of verification
> 1. BADKEY
> 2. BADTIME
> 3. BADSIG
> 
> I have crossed the first two stages (I dont get BADKEY and BADTIME
> errors. ). I dont think I have a problem with time on both machines.
> But I am stuck with this BADSIG error for sometime. 
> 
> I need some inputs as in:
> 1. What is canonical wire format? (could someone give an example)
	
	Did you follow the reference to RFC 2535?

> 2. In what exact order should I give input to the HMAC-MD5 (example if
> you could..). As in, what does "whole and complete DNS message in wire
> format" (section 3.4.1 of RFC2845) mean?

	Exactly what it says.  The message, as if you were about to send
	it out onto the wire, that needs to be signed.

> And what is the order in which I should include the fields of the TSIG
> RR as mentioned in section 3.4.2 of RFC 2845

	In the order shown.

> 3. Section 3.4 of RFC2845 is not very clear to me. If someone could
> explain it with some example it would be great.
> 
> I tried a code walkthrough of nsupdate.c. But the code is not at all
> easy to understand. Please help.

	Look at lib/bind/nameser/ns_sign.c and/or lib/dns/tsig.c.

> 
> Thanks
> 
> regards
> Asmita
> 
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org