-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TSIG fails to verify when EDNS Expire is set #1292
Comments
dmavrommatis
added a commit
to dmavrommatis/dns
that referenced
this issue
Sep 6, 2021
…iekg#1292) As per [RFC7134](https://datatracker.ietf.org/doc/html/rfc7314#section-2) the Expire Option in queries should be zero-length. In the current implementation the field is uint32 which always instatiates 4bytes for that field when packing to wire format. For that reason we change the field to []uint8 so it can support 0-length and 4-byte length option data.
dmavrommatis
added a commit
to dmavrommatis/dns
that referenced
this issue
Sep 13, 2021
…iekg#1292) As per [RFC7134](https://datatracker.ietf.org/doc/html/rfc7314#section-2) the Expire Option in queries should be zero-length. In the current implementation the field is uint32 which always instatiates 4bytes for that field when packing to wire format. For that reason we change the field to []uint8 so it can support 0-length and 4-byte length option data.
dmavrommatis
added a commit
to dmavrommatis/dns
that referenced
this issue
Sep 13, 2021
…iekg#1292) As per [RFC7134](https://datatracker.ietf.org/doc/html/rfc7314#section-2) the Expire Option in queries should be zero-length. In the current implementation the field is uint32 which always instatiates 4bytes for that field when packing to wire format. For that reason we change the field to []uint8 so it can support 0-length and 4-byte length option data.
aanm
pushed a commit
to cilium/dns
that referenced
this issue
Jul 29, 2022
…ekg#1292) (miekg#1293) * Change EDNS_EXPIRE field to support zero length option data (Resolves miekg#1292) As per [RFC7134](https://datatracker.ietf.org/doc/html/rfc7314#section-2) the Expire Option in queries should be zero-length. In the current implementation the field is uint32 which always instatiates 4bytes for that field when packing to wire format. For that reason we change the field to []uint8 so it can support 0-length and 4-byte length option data. * addressed comments * addressed comments * make change backwards compatible * add comment for Empty field
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I have set up a Bind server as secondary to my DNS server that runs
miekg/dns
library and I was seeingbad signature
errors. After somedig
ging and packet sniffing I found out that the reason the verification fails is because the Bind server is sending an additional option for EDNS Expire.I have setup a simple playground environment to mimic this behavior:
If you do a DNS query without the EDNS expiry option the query is verified correctly:
but if you do a DNS with the EDNS expiry it fails verifying the signature
I tried with other EDNS options and the verification is working fine. Is this a bug or am I missing something regarding the Expiry option?
The text was updated successfully, but these errors were encountered: