more clarification needed on TSIG please

Mark Andrews Mark_Andrews at isc.org
Tue Jun 29 13:31:32 UTC 2004 


> as some of you have been following, I am having issues with TSIG. But only 
> one way (WAN -> LAN) ....LAN -> WAN works fine.
> 
> So I had presumed it was my config/setup...however when I use dig:
> 
> dig mydomain.com @ns1.electric.net AXFR -y 
> ns2.mydomain.com:**********longgarbagehere=
> 
> it works. So no matter which TSIG keys I use to/from (WAN or LAN) - I 
> cannot make this fail.
> So I know I am setup just fine..
> 
> However (as I noted earlier) TSIG will not work for a 'refresh' or when I 
> do an 'rndc reload' if I have new zone data.
> 
> So, I am thinking this has something to do with the ports used and my Cisco 
> firewall....
> 
> Does anyone know the port ranges (and types) used for a 'dig' and then for 
> the 'automatic refresh' or a reload?
> 
> (I do not specify any ports in my named.conf file at all)
> 
> I am quite convinced this is a cisco firewall (CBAC) issue but I need more 
> information.

	This is what named is executing when it performs a refresh
	query.  It is performed over UDP.

	dig +norec -y ns2.mydomain.com:sharedsecret soa mydomain.com
		 @ns1.electric.net

	CISCO, in their infinite wisdom, decided to have their NAT
	alter the DNS message content when the transport was UDP and
	not alter it when it was TCP. 

	TSIG works by generating a cryptographically secure hash of
	the DNS message.  Altering the contents of the DNS message
	(with the exception of the message id) will cause the TSIG
	to fail.

	You should be able to verify whether 'no-payload' works or
	not by capturing the packet refresh packet both sides of
	the firewall and seeing if the DNS message in it has been
	modified.

	If the DNS messages are identical 'no-payload' is working.
	By identical I mean evey bit with the exception of the 
	message id.

	Mark
	
> Thanks for ANY help!!!
> 
> 
> 
> -- 
> J.D. Bronson
> Aurora Health Care // Information Services // Milwaukee, WI USA
> Office: 414.978.8282 // Email: jd at aurora.org // Pager: 414.314.8282
> 
> 
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list