[Kea-users] DDNS TSIG verification failed: BADSIG
bert hubert
bert.hubert at powerdns.com
Thu Feb 11 20:58:40 UTC 2016
On Thu, Feb 11, 2016 at 05:55:09PM +0000, Randy McEoin wrote:
> I think this is a bug in PowerDNS bought to light by another bug in Kea.
>
> When Kea constructs a DDNS query packet with a TSIG, it mistakenly sets the Original ID to 0 instead of the Transaction Id. The TSIG MAC is calculated correctly, so PowerDNS considers the packet valid.
>
> The breaking bug is on the PowerDNS side. When PowerDNS constructs the DDNS response packet, it appears to use the unmodified real Transaction ID in the calculation of the HMAC. It then proceeds to append a TSIG with the Original ID provided by the query of 0 which is not equal to the Transaction ID used in the calculation. So Kea legitimately detects a BADKEY in the response.
>
> For comparison, I looked at a packet capture of Kea DDNS'ing with BIND.
> Of course Kea still uses 0 for the Original ID, but what's different is
> that BIND's response uses an Original ID == Transaction ID. It does not
> use the Original ID of 0 that Kea specified in the query.
Hi Randy,
We've assigned https://github.com/PowerDNS/pdns/issues/3362 to your
bug. Thanks! Will keep you posted about the solution.
Bert
More information about the Kea-users
mailing list