Interoperability issues using TSIG with HMAC-SHA224
Jefferson Ogata
bind-users1 at antibozo.net
Sat Jan 9 07:15:47 UTC 2010
Greetings.
Has anyone else tried to communicate with TSIG using HMAC-SHA224 between
BIND and other DNS implementations?
I'm using Perl's Net::DNS and BIND 9.6.1p2 and I'm able to sign messages
with TSIG using HMAC-MD5, HMAC-SHA1, HMAC-SHA256, HMAC-SHA384, and
HMAC-SHA512 successfully. But HMAC-SHA224 generates a BADSIG response
from BIND. In addition, a NOTIFY generated by BIND with an HMAC-SHA224
TSIG doesn't validate in my implementation, though all other digests work.
I've tested the HMAC-SHA224 implementation in lib/isc/hmacsha.c using
all the test vectors in RFC 4231, and done the same with the Perl
implementation (in Digest::SHA), and all test vectors produce correct
digests.
So if there's a problem I'm thinking it might be in the linkage between
BIND and the digest implementation. It could also be that if there is a
bug there, BIND instances would have no trouble talking to one another
because they're doing the same thing wrong. I've perused the code a bit
and I don't see anything obviously wrong. But I'm curious if anyone else
has ever tried to use that particular digest to sign TSIGs between BIND
and some other DNS implementation.
I'm using Net::DNS-0.66 (which I'm extending to handle the SHA
algorithms from RFC 4635), and Digest-SHA-5.47. The BIND I'm using
(9.6.1p2) is what is current in Fedora 12 (9.6.1-13.P2).
--
Jefferson Ogata : Internetworker, Antibozo
More information about the bind-users
mailing list