search

PowerDNS / pdns

PowerDNS Authoritative, PowerDNS Recursor, dnsdist
https://www.powerdns.com/
GNU General Public License v2.0
3.7k stars 909 forks source link

auth-ws tsigapi's alows keyname for keyid (sometimes) #8635

Open toppk opened 4 years ago

toppk commented 4 years ago

Short description

the auth-ws tsigkeys api's (e.g. /servers/localhost/tsigkeys/{id} ) secretly switches between keyname and keyid, which can get very confusing. you can actually query with the keyid (with or without trailing ".") or the keyname (with or without trailing dot), except if you use a mixed encoded name, like "f%o=25o", where you will only be able to query by keyid.

the actually query is checking the name column (I'm using the mysql backend), and ithe api tries to decode the string.

Perhaps this can be solved with documentation, about what a name can be for a tsigkey (a valid DNSName, and it will autonormalized), and this should be mentioned as well.

However, I believe the correct fix is to have a strict version of apiZoneIdToName, which doesn't allow decoded strings to be inputed as well as not allowing tsigkeys created if DNSName(name) != name

Environment

pdns 4.2.0 on fedora 31

zeha commented 4 years ago

We could make apiZoneIdToName strict (by calling apiZoneNameToId and comparing in/out), but I'm not sure it's worth the performance hit. And I'm not sure tsigkey names should be treated like zone names in the first place.

rgacogne commented 4 years ago

IIRC the TSIG RFC states that key names should be valid DNS names.