Signing Secure dynamic updates

Mark_Andrews at isc.org Mark_Andrews at isc.org
Tue Apr 23 22:17:52 UTC 2002 

> 
> Hi
> 
> Thanks a lot for your response.
> 
> >> 1. What is canonical wire format? (could someone give an example)
> >        Did you follow the reference to RFC 2535?
> 
> Attaching an example below. Do let me know if I have understood it
> correctly.
> If the domain name is
> bind.isc.org then the canonical wire format is
> 4 'b' 'i' 'n' 'd' 3 'i' 's' 'c' 3 'o' 'r' 'g' 0
> 
> (where 'b' is the ascii value of b)
> Am I correct?

	Yes.

> 
> Also, I have generated the key using dnssec-keygen. So in my client I
> have to base64 decode the key and use it while signing the message.

	Correct.
 
> Do I have to attach the generated signature (digest) to the message in
> base64 encoded format?

	No.  It is sent raw as part of the TSIG.  You only convert it to
	base64 when you want to display it.

	Mark

> 
> Please help
> 
> Thanks
> 
> regards
> Asmita
> 
> Mark_Andrews at isc.org wrote in message news:<aa2sua$p4v at pub3.rc.vix.com>...
> > > 
> > > Hi
> > > 
> > > I am trying to write a small dynamic DNS client that will only update
> > > BIND zone files securely.
> > > nsupdate works succesfully with my configuration of BIND9.2. (secure
> > > and insecure updates work with nsupdate).
> > > 
> > > I have tried out insecure updates (by configuring BIND9 as
> > > allow-update {IP address}) with my dnyamic DNS client. These insecure
> > > updates work.
> > > 
> > > When I try to sign the updates with TSIG RR, I get a tsig verify error
> > > in my /var/log/messages. (NOTAUTH and BADSIG errors are there in the
> > > packet received from the BIND server)
> > > As I understand from RFC2845 there are three stages of verification
> > > 1. BADKEY
> > > 2. BADTIME
> > > 3. BADSIG
> > > 
> > > I have crossed the first two stages (I dont get BADKEY and BADTIME
> > > errors. ). I dont think I have a problem with time on both machines.
> > > But I am stuck with this BADSIG error for sometime. 
> > > 
> > > I need some inputs as in:
> > > 1. What is canonical wire format? (could someone give an example)
> > 	
> > 	Did you follow the reference to RFC 2535?
> > 
> > > 2. In what exact order should I give input to the HMAC-MD5 (example if
> > > you could..). As in, what does "whole and complete DNS message in wire
> > > format" (section 3.4.1 of RFC2845) mean?
> > 
> > 	Exactly what it says.  The message, as if you were about to send
> > 	it out onto the wire, that needs to be signed.
> > 
> > > And what is the order in which I should include the fields of the TSIG
> > > RR as mentioned in section 3.4.2 of RFC 2845
> > 
> > 	In the order shown.
> > 
> > > 3. Section 3.4 of RFC2845 is not very clear to me. If someone could
> > > explain it with some example it would be great.
> > > 
> > > I tried a code walkthrough of nsupdate.c. But the code is not at all
> > > easy to understand. Please help.
> > 
> > 	Look at lib/bind/nameser/ns_sign.c and/or lib/dns/tsig.c.
> > 
> > > 
> > > Thanks
> > > 
> > > regards
> > > Asmita
> > >
> 
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org

More information about the bind-users mailing list