BIND 10 #813: TSIG: verifying messages

BIND 10 Development do-not-reply at isc.org
Wed May 4 18:26:58 UTC 2011 

#813: TSIG: verifying messages
-------------------------------------+-------------------------------------
                   Reporter:         |                 Owner:  jinmei
  stephen                            |                Status:  reviewing
                       Type:         |             Milestone:
  enhancement                        |  Sprint-20110517
                   Priority:  major  |            Resolution:
                  Component:         |             Sensitive:  0
  Unclassified                       |           Sub-Project:  DNS
                   Keywords:         |  Estimated Difficulty:  4.0
            Defect Severity:  N/A    |           Total Hours:  0
Feature Depending on Ticket:  tsig   |
        Add Hours to Ticket:  0      |
                  Internal?:  0      |
-------------------------------------+-------------------------------------

Comment (by jinmei):

 Replying to [comment:8 vorner]:

 Thanks for the review.

 > I made few typo and style fixes. Otherwise the code looks clear.

 The changes look good, thanks for cathing them.  (And you taught me
 another cool feature of gtest:-)

 > But I have a question ‒ you accept TSIG only at the end of the message.
 But there was something with signing of the stream when there's zone
 transfer. Just to make sure, the stream is split into multiple messages
 and the TSIGs are on some of the messages and they cover all the preceding
 messages, so TSIG will be at the end of message here as well, right?
 (quick google for „TSIG zone transfer“ isn't very helpful this morning)

 Yes.  To make sure we are on the same page, this is a specific example:

 - First DNS message in a TCP stream: it must have a TSIG.  it must be
   placed at the end of that message.
 - Second DNS message in the same stream (a continuation of the first
   one for the entire zone transfer).  It can skip including TSIG.
 - Third DNS message in the same stream.  It can skip including TSIG,
   too.
 - Fourth DNS message in the same stream.  This is the last one for the
   zone transfer.  It must have a TSIG (which also covers both the
   second and third messages), and it must be placed at the end of the
   message.

 > So, if this is how the transfer works, I think it is safe to be merged
 (provided the branch this is based on is reviewed already).

 Okay, so I think it's ready for merge.  Once #871 is merged, I'll
 merge this branch, too.

-- 
Ticket URL: <https://bind10.isc.org/ticket/813#comment:9>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development

More information about the bind10-tickets mailing list