[DNSOP] TSIG - BADKEY error handling appears to be underspecified.

Mark Andrews <marka@isc.org> Thu, 13 September 2018 22:55 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0358F130E96 for <dnsop@ietfa.amsl.com>; Thu, 13 Sep 2018 15:55:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ysbHjo8KkJ6N for <dnsop@ietfa.amsl.com>; Thu, 13 Sep 2018 15:55:23 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D4FD12008A for <dnsop@ietf.org>; Thu, 13 Sep 2018 15:55:23 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 236943AB001 for <dnsop@ietf.org>; Thu, 13 Sep 2018 22:55:23 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 0360C160042 for <dnsop@ietf.org>; Thu, 13 Sep 2018 22:55:23 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id E5DCE160054 for <dnsop@ietf.org>; Thu, 13 Sep 2018 22:55:22 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ifSKJH3dPwqt for <dnsop@ietf.org>; Thu, 13 Sep 2018 22:55:22 +0000 (UTC)
Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 72B7F160042 for <dnsop@ietf.org>; Thu, 13 Sep 2018 22:55:22 +0000 (UTC)
From: Mark Andrews <marka@isc.org>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Message-Id: <A23114D1-75BE-4BA5-9C27-78B070BDBD3F@isc.org>
Date: Fri, 14 Sep 2018 08:55:19 +1000
To: dnsop WG <dnsop@ietf.org>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Xv46hACeefv-UNW5DI914Fec0OU>
Subject: [DNSOP] TSIG - BADKEY error handling appears to be underspecified.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Sep 2018 22:55:25 -0000

I was testing TSIG with a well known key against TLD servers and got the following response.  Once you get past the bad class field (reported to the operator) there were a
number of other items:

* the tsig name does not match the request.
* the algorithm doesn’t match the algorithm in the request.
* time signed is not set.
* the fudge value is zero.

Should these match the request / be set for BADKEY?

Mark

% dig alstom. @195.253.64.11 soa -y xxxx:AAAA
14-Sep-2018 08:41:34.347 the key 'xxxx' is too short to be secure
;; Warning: Message parser reports malformed message packet.
;; Couldn't verify signature: not implemented

; <<>> DiG 9.13.1+hotspot+add-prefetch+marka <<>> alstom. @195.253.64.11 soa -y xxxx:AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOTAUTH, id: 56054
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;alstom.				IN	SOA

;; TSIG PSEUDOSECTION:
.			0	IN	TSIG	\# 17 0000000000000000000000DAF600110000

;; Query time: 566 msec
;; SERVER: 195.253.64.11#53(195.253.64.11)
;; WHEN: Fri Sep 14 08:41:34 AEST 2018
;; MSG SIZE  rcvd: 63
;; WARNING -- Some TSIG could not be validated

% 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org