TSIG verify failure at DNS backend side
Bug #1466300 reported by
Liang Rong
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Designate |
Fix Released
|
High
|
sonu |
Bug Description
Create a pool and configure the pool with a managed DNS backend (BIND9 in my case), and also create a TSIG key to identify the pool.
Next create zones in this pool. The zone transfer from MiniDNS to BIND9 fails because of TSIG verify failure at BIND9.
This issue is likely to be caused by the TSIG MAC generation in _handle_axfr function in mdns/handler.py. In this function, the request.request_mac should be replaced with request.mac. After I made this change, the TSIG verification is passed at BIND9 and zone transfer is completed successfully.
information type: | Private Security → Public |
Changed in designate: | |
importance: | Undecided → High |
status: | New → Triaged |
Changed in designate: | |
assignee: | nobody → sonu (sonu-bhumca11) |
Changed in designate: | |
milestone: | none → liberty-rc1 |
Changed in designate: | |
status: | Fix Committed → Fix Released |
Changed in designate: | |
milestone: | liberty-rc1 → 1.0.0 |
To post a comment you must log in.
Looking into this, I'm not sure it warrants Private Security as it sounds like it's not leaking info / privilege escalation etc - but let's leave it private for now until we know for sure.