Closed ximon18 closed 3 days ago
So, fixing that broke the interop::tsig_client_sequence_nsd
test. I've pushed a hacky "fix" which makes both signing of server response sequences be acceptable to NSD and checking of client sequences produced by NSD be acceptable to domain.
Feels to me the fix should be to call self.context.apply_signature(mac.as_ref())
in ServerSequence::answer_with_fudge
before returning?
(The issue of not being able to push the TSIG record non-withstanding. Perhaps that should be a separate PR?)
Obsoleted by #356
When transferring large signed responses, e.g. AXFR of a large zone, that doesn't fit in a single response message, the TSIG signatures generated by the domain
tsig
module code are rejected bydig
, BIND and NSD as invalid. This PR makes the issue I was seeing go away.Example error from BIND 9:
Example successes with this PR:
DIG 9:
BIND 9:
NSD 4.8.0:
I've marked this as a DRAFT PR because it doesn't completely handle the TSIG RR doesn't fit case nor does it add unit tests or update the interop test to actually fail (e.g. by using
dig
instead ofdrill
as the latter doesn't seem to actually verify the TSIG signatures), and this was only a first quick attempt to fix the issue.Tested manually with BIND/dig 9.18.26 and NSD 4.8.0.