8.2.1 experiences please?
Dennis Glatting
dennis.glatting at software-munitions.com
Wed Jun 23 15:53:07 UTC 1999
Hi Brian!
On Wed, 23 Jun 1999, Brian Wellington wrote:
> On Tue, 22 Jun 1999, Dennis Glatting wrote:
>
> > I am having problems with TSIG under Solaris 2.6 SPARC. Part of
> > the problem, at least, seems to be EGCS 1.1.2 and compiling with
> > the -Os option. I am still investigating.
>
> No idea about this. I don't even see a -Os option.
>
It is an option I picked up on the FreeBSD list. From ChangeLog in
egcs:
* toplev.c (main): Parse -Os option and set optimize_space
accordingly.
When I changed optimization to -O things worked better.
> > There are a few problems with the documentation. For example,
> > it isn't clear how to generate TSIG HMAC-MD5 keys (I used
> > dnskeygen but it isn't obvious what parameters one should use).
> > The named.conf example in bin/named shows ASCII text for the
> > secret but base64 encoded data is required. The comment in that
> > file says TSIG is supported by the parser but not yet
> > implemented in the server. Is that true?
>
> The comment is wrong. I remember sending a patch to the documentation a
> while ago, but it might have been lost somewhere. The secret should be
> base64 encoded, and TSIGs are implemented by the server.
>
> To generate a key with dnskeygen, you need to generate a host key (-h)
> with the HMAC-MD5 algorithm and some key size (-H <size>), and a name (-n
> name). Then just copy the base64 encoded data into the named.conf file.
>
> dnskeygen -h -H 512 -n keyname.domain.
>
I remember those patches but they didn't make it in. Not having them
is a problem for the non-read-the-source inclined.
> > There really needs to be some form of detailed debugging for
> > TSIG, such as ns_debug() statements in ns_verify.c and
> > find_key() that print out key searches and the key and
> > algorithm in packets. For debugging I am using syslog() but
> > that can't stay.
>
> This is harder than it sounds. All of the TSIG processing (ns_sign and
> ns_verify) is in the nameser library, not the server. Since it can be
> called from outside the server, there's no way to know if logging has been
> set up. If anyone knows a way around this, let me know and I'll add more
> debugging.
>
How about moving the log functions (i.e., ns_debug) into the library?
The defaults could be no logging and overridden by the application,
such as named parsing named.conf.
-dpg
More information about the bind-workers
mailing list