8.2.1 experiences please?

Brian Wellington bwelling at tislabs.com
Wed Jun 23 18:04:37 UTC 1999 

On Wed, 23 Jun 1999, Dennis Glatting wrote:

> Hi Brian!

Hi again...

> When I changed optimization to -O things worked better.

OK.  Without looking at assembly code, this one will be hard to find.
Let's hope the egcs people find a bug :)

> > > There are a few problems with the documentation. For example,
> > > it isn't clear how to generate TSIG HMAC-MD5 keys (I used
> > > dnskeygen but it isn't obvious what parameters one should use).
> > > The named.conf example in bin/named shows ASCII text for the
> > > secret but base64 encoded data is required. The comment in that
> > > file says TSIG is supported by the parser but not yet
> > > implemented in the server. Is that true?
> > 
> > The comment is wrong.  I remember sending a patch to the documentation a
> > while ago, but it might have been lost somewhere.  The secret should be
> > base64 encoded, and TSIGs are implemented by the server.
> > 
> > To generate a key with dnskeygen, you need to generate a host key (-h)
> > with the HMAC-MD5 algorithm and some key size (-H <size>), and a name (-n
> > name).  Then just copy the base64 encoded data into the named.conf file.
> > 
> > dnskeygen -h -H 512 -n keyname.domain.
> > 
> 
> I remember those patches but they didn't make it in. Not having them
> is a problem for the non-read-the-source inclined.

I'll resend a patch later today.

> > > There really needs to be some form of detailed debugging for
> > > TSIG, such as ns_debug() statements in ns_verify.c and
> > > find_key() that print out key searches and the key and
> > > algorithm in packets. For debugging I am using syslog() but
> > > that can't stay.
> > 
> > This is harder than it sounds.  All of the TSIG processing (ns_sign and
> > ns_verify) is in the nameser library, not the server.  Since it can be
> > called from outside the server, there's no way to know if logging has been
> > set up.  If anyone knows a way around this, let me know and I'll add more
> > debugging.
> > 
> 
> How about moving the log functions (i.e., ns_debug) into the library?
> The defaults could be no logging and overridden by the application,
> such as named parsing named.conf.

This sounds like a good idea, but it's not my decision to make, and I'm
not exactly sure how to implement it.  If it was done, I'd be glad to make
the TSIG code use it.

As for the problem you mentioned with AXFR and TSIG on large zones, I can
reproduce it, and I'm trying to fix it right now.

Brian

More information about the bind-workers mailing list