8.2.1 experiences please?

[Brian Wellington]

On Tue, 22 Jun 1999, Dennis Glatting wrote:

> I am having problems with TSIG under Solaris 2.6 SPARC. Part of
> the problem, at least, seems to be EGCS 1.1.2 and compiling with
> the -Os option. I am still investigating.

No idea about this.  I don't even see a -Os option.

> There are a few problems with the documentation. For example,
> it isn't clear how to generate TSIG HMAC-MD5 keys (I used
> dnskeygen but it isn't obvious what parameters one should use).
> The named.conf example in bin/named shows ASCII text for the
> secret but base64 encoded data is required. The comment in that
> file says TSIG is supported by the parser but not yet
> implemented in the server. Is that true?

The comment is wrong.  I remember sending a patch to the documentation a
while ago, but it might have been lost somewhere.  The secret should be
base64 encoded, and TSIGs are implemented by the server.

To generate a key with dnskeygen, you need to generate a host key (-h)
with the HMAC-MD5 algorithm and some key size (-H <size>), and a name (-n
name).  Then just copy the base64 encoded data into the named.conf file.

dnskeygen -h -H 512 -n keyname.domain.

> There really needs to be some form of detailed debugging for
> TSIG, such as ns_debug() statements in ns_verify.c and
> find_key() that print out key searches and the key and
> algorithm in packets. For debugging I am using syslog() but
> that can't stay.

This is harder than it sounds.  All of the TSIG processing (ns_sign and
ns_verify) is in the nameser library, not the server.  Since it can be
called from outside the server, there's no way to know if logging has been
set up.  If anyone knows a way around this, let me know and I'll add more
debugging.

Brian