more clarification needed on TSIG please
Mark Andrews
Mark_Andrews at isc.org
Tue Jun 29 13:31:32 UTC 2004
> as some of you have been following, I am having issues with TSIG. But only
> one way (WAN -> LAN) ....LAN -> WAN works fine.
>
> So I had presumed it was my config/setup...however when I use dig:
>
> dig mydomain.com @ns1.electric.net AXFR -y
> ns2.mydomain.com:**********longgarbagehere=
>
> it works. So no matter which TSIG keys I use to/from (WAN or LAN) - I
> cannot make this fail.
> So I know I am setup just fine..
>
> However (as I noted earlier) TSIG will not work for a 'refresh' or when I
> do an 'rndc reload' if I have new zone data.
>
> So, I am thinking this has something to do with the ports used and my Cisco
> firewall....
>
> Does anyone know the port ranges (and types) used for a 'dig' and then for
> the 'automatic refresh' or a reload?
>
> (I do not specify any ports in my named.conf file at all)
>
> I am quite convinced this is a cisco firewall (CBAC) issue but I need more
> information.
This is what named is executing when it performs a refresh
query. It is performed over UDP.
dig +norec -y ns2.mydomain.com:sharedsecret soa mydomain.com
@ns1.electric.net
CISCO, in their infinite wisdom, decided to have their NAT
alter the DNS message content when the transport was UDP and
not alter it when it was TCP.
TSIG works by generating a cryptographically secure hash of
the DNS message. Altering the contents of the DNS message
(with the exception of the message id) will cause the TSIG
to fail.
You should be able to verify whether 'no-payload' works or
not by capturing the packet refresh packet both sides of
the firewall and seeing if the DNS message in it has been
modified.
If the DNS messages are identical 'no-payload' is working.
By identical I mean evey bit with the exception of the
message id.
Mark
> Thanks for ANY help!!!
>
>
>
> --
> J.D. Bronson
> Aurora Health Care // Information Services // Milwaukee, WI USA
> Office: 414.978.8282 // Email: jd at aurora.org // Pager: 414.314.8282
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list