[dns-operations] FYI: TSIG query support broken on CNAMEs when behind Cisco PAT

Mark Andrews Mark_Andrews at isc.org
Wed May 23 23:35:18 UTC 2007 

> Hello,
> 
> we were trying to setup local caching nameserver on our notebooks and
> came to strange behaviour.
> 
> I work really nice unless you encounter CNAME.  And you are behind Cisco
> PAT.  For some unknown reasons Cisco IOS is setting TTL for CNAME
> records to 0 when NATing packet.
> 
> This also means that any network using private IPv4 range and using
> Cisco for NAT has broken TSIG for query.  Unfortunately this includes
> T-Mobile Czech GPRS and I guess it will affect much more networks on
> whole world.

	Well this might just get the firewall/nat people to stop stuffing
	with the contents of DNS packets.  TSIG was designed to work
	with a proxy.  The proxy can set and restore the DNS query id.
	Otherwise it can't touch the DNS message contents.
 
	I presume you have reported this to CISCO.

	Mark

> Dig +tcp doesn't help.
> 
> This can be tested using dig with -k option.  tcpdump captured packets
> are attached.
> 
> ondrej at yuna:~$ dig -k Kpagan.rfc1925.org.+157+28985.key cesko.ihned.cz @pagan
> .rfc1925.org
> ;; Couldn't verify signature: tsig verify failure
> 
> ; <<>> DiG 9.3.4 <<>> -k Kpagan.rfc1925.org.+157+28985.key cesko.ihned.cz @pa
> gan.rfc1925.org
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62309
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
> 
> ;; QUESTION SECTION:
> ;cesko.ihned.cz.                        IN      A
> 
> ;; ANSWER SECTION:
> cesko.ihned.cz.         0       IN      CNAME   www.ihned.cz.
> www.ihned.cz.           86256   IN      A       81.95.101.9
> 
> ;; AUTHORITY SECTION:
> ihned.cz.               86256   IN      NS      ns.servery.cz.
> ihned.cz.               86256   IN      NS      ns.servery.com.
> 
> ;; ADDITIONAL SECTION:
> ns.servery.cz.          3456    IN      A       81.95.96.2
> ns.servery.com.         172656  IN      A       195.122.208.71
> 
> ;; TSIG PSEUDOSECTION:
> pagan.rfc1925.org.      0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 117
> 9909956 300 16 F2Bpb/MQAM1MEDWnJogyZw== 62309 NOERROR 0 
> 
> ;; Query time: 4 msec
> ;; SERVER: 87.236.198.133#53(87.236.198.133)
> ;; WHEN: Wed May 23 10:45:56 2007
> ;; MSG SIZE  rcvd: 238
> ;; WARNING -- Some TSIG could not be validated
> 
> 
> Ondrej.
> -- 
>  Ondøej Surý
>  technický øeditel/Chief Technical Officer
>  -----------------------------------------
>  CZ.NIC, z.s.p.o.  --  .cz domain registry
>  Americká 23,120 00 Praha 2,Czech Republic
>  mailto:ondrej.sury at nic.cz  http://nic.cz/
>  sip:ondrej.sury at nic.cz tel:+420.222745110
>  mob:+420.739013699     fax:+420.222745112
>  -----------------------------------------
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list