What's in a name? (Big BIND 8 TSIG bug)

Cricket Liu cricket at menandmice.com
Wed Oct 2 01:16:58 UTC 2002

Hi, everybody.

Doug Barton recently tracked down a bug in the BIND 8
TSIG code that's likely to affect enough people to warrant
general mention in this newsgroup.

The upshot is this:  Don't use names for your TSIG keys
that are at all similar to the domain names of your zones.
In other words, if you have a zone called foo.example,
don't name your TSIG keys tsig.foo.example, or
tsig-key.example, or anything like that.  If you do, you'll
see TSIG verification failures.

The problem, for those of you who are interested, seems
to be a conflict between the TSIG verification routines
and the name compression routines.  Apparently, the name
compression routines compress the owner name of the
TSIG record, preventing the TSIG verification routines
from identifying the TSIG key.

Of course, "DNS and BIND" clearly states that TSIG keys
often look like domain names, implicitly suggesting that that's
a good naming scheme.  Sigh.


Men & Mice
DNS Software, Training and Consulting

The DNS and BIND Cookbook, coming October 2002!

More information about the bind-users mailing list