[dns-operations] FYI: TSIG query support broken on CNAMEs when behind Cisco PAT

Ondřej Surý ondrej.sury at nic.cz
Wed May 23 16:44:38 UTC 2007 

Hello,

we were trying to setup local caching nameserver on our notebooks and
came to strange behaviour.

I work really nice unless you encounter CNAME.  And you are behind Cisco
PAT.  For some unknown reasons Cisco IOS is setting TTL for CNAME
records to 0 when NATing packet.

This also means that any network using private IPv4 range and using
Cisco for NAT has broken TSIG for query.  Unfortunately this includes
T-Mobile Czech GPRS and I guess it will affect much more networks on
whole world.

Dig +tcp doesn't help.

This can be tested using dig with -k option.  tcpdump captured packets
are attached.

ondrej at yuna:~$ dig -k Kpagan.rfc1925.org.+157+28985.key cesko.ihned.cz @pagan.rfc1925.org
;; Couldn't verify signature: tsig verify failure

; <<>> DiG 9.3.4 <<>> -k Kpagan.rfc1925.org.+157+28985.key cesko.ihned.cz @pagan.rfc1925.org
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62309
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; QUESTION SECTION:
;cesko.ihned.cz.                        IN      A

;; ANSWER SECTION:
cesko.ihned.cz.         0       IN      CNAME   www.ihned.cz.
www.ihned.cz.           86256   IN      A       81.95.101.9

;; AUTHORITY SECTION:
ihned.cz.               86256   IN      NS      ns.servery.cz.
ihned.cz.               86256   IN      NS      ns.servery.com.

;; ADDITIONAL SECTION:
ns.servery.cz.          3456    IN      A       81.95.96.2
ns.servery.com.         172656  IN      A       195.122.208.71

;; TSIG PSEUDOSECTION:
pagan.rfc1925.org.      0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1179909956 300 16 F2Bpb/MQAM1MEDWnJogyZw== 62309 NOERROR 0 

;; Query time: 4 msec
;; SERVER: 87.236.198.133#53(87.236.198.133)
;; WHEN: Wed May 23 10:45:56 2007
;; MSG SIZE  rcvd: 238
;; WARNING -- Some TSIG could not be validated


Ondrej.
-- 
 Ondřej Surý
 technický ředitel/Chief Technical Officer
 -----------------------------------------
 CZ.NIC, z.s.p.o.  --  .cz domain registry
 Americká 23,120 00 Praha 2,Czech Republic
 mailto:ondrej.sury at nic.cz  http://nic.cz/
 sip:ondrej.sury at nic.cz tel:+420.222745110
 mob:+420.739013699     fax:+420.222745112
 -----------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: server.tcpdump
Type: application/octet-stream
Size: 481 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20070523/3dd974bb/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: client.tcpdump
Type: application/octet-stream
Size: 481 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20070523/3dd974bb/attachment-0001.obj>

More information about the dns-operations mailing list