Re: [DNSOP] TSIG - BADKEY error handling appears to be underspecified.

Klaus Malorny <Klaus.Malorny@knipp.de> Fri, 14 September 2018 09:12 UTC

Return-Path: <Klaus.Malorny@knipp.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C72CC12F295 for <dnsop@ietfa.amsl.com>; Fri, 14 Sep 2018 02:12:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qvZlHgVlYy7u for <dnsop@ietfa.amsl.com>; Fri, 14 Sep 2018 02:12:40 -0700 (PDT)
Received: from kmx5b.knipp.de (s671.bbone.dtm.knipp.de [195.253.6.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8921F1277CC for <dnsop@ietf.org>; Fri, 14 Sep 2018 02:12:40 -0700 (PDT)
Received: from hp9000.do.knipp.de (hp9000.do.knipp.de [195.253.2.54]) by kmx5b.knipp.de (Postfix) with ESMTP id 75FF03000F5; Fri, 14 Sep 2018 09:12:35 +0000 (UTC)
Received: from [195.253.2.27] (mclane.do.knipp.de [195.253.2.27]) by hp9000.do.knipp.de (Postfix) with ESMTP id 680EB70486; Fri, 14 Sep 2018 11:12:35 +0200 (MESZ)
To: Mark Andrews <marka@isc.org>, dnsop WG <dnsop@ietf.org>
References: <A23114D1-75BE-4BA5-9C27-78B070BDBD3F@isc.org>
From: Klaus Malorny <Klaus.Malorny@knipp.de>
Message-ID: <d3a331ac-b324-c53d-dac9-3f9cb1a8c139@knipp.de>
Date: Fri, 14 Sep 2018 11:12:26 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:64.0) Gecko/20100101 Thunderbird/64.0a1
MIME-Version: 1.0
In-Reply-To: <A23114D1-75BE-4BA5-9C27-78B070BDBD3F@isc.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Spamd-Bar: /
Authentication-Results: kmx5b.knipp.de
X-Rspamd-Server: s671
X-Rspamd-Queue-Id: 75FF03000F5
X-Spamd-Result: default: False [0.00 / 15.00]; IP_WHITELIST(0.00)[195.253.2.54]; NEURAL_HAM(-0.00)[-0.037,0]; ASN(0.00)[asn:8391, ipnet:195.253.0.0/16, country:DE]
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/uI37q9PpGzWEXHqGij5fCe9LPKo>
Subject: Re: [DNSOP] TSIG - BADKEY error handling appears to be underspecified.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Sep 2018 09:12:43 -0000

On 14.09.18 00:55, Mark Andrews wrote:
> I was testing TSIG with a well known key against TLD servers and got the following response.  Once you get past the bad class field (reported to the operator) there were a
> number of other items:
> 
> * the tsig name does not match the request.
> * the algorithm doesn’t match the algorithm in the request.
> * time signed is not set.
> * the fudge value is zero.
> 
> Should these match the request / be set for BADKEY?
> 
> Mark


Hi Mark,

thanks for bringing this to our attention. I have fixed the DNS class, the key 
and algorithm name. For the latter two, it makes some sense to return the values 
from the request. Regarding the time and fudge, I have currently left it to 
zero, as IMHO they have no meaning without having a signature. But I am open to 
conviction...

By the way, the parsing error of DiG seemed to be solely caused by the wrong 
class; after changing it to ANY, the RDATA was parsed and displayed correctly.

Regards,

Klaus