Re: Using the TSIG key to verify which client is sending the request

[Brian W. <bwe...@xb...>]

On May 25, 2011, at 3:52 AM, Luis Silva wrote:

> I'm receiving in my DNS java server application a DNS query with a TSIG record. Is it possible to extract the TSIG key from this record and verifies the client based on the TSIG? 

It is possible to extract the TSIG record from the message, using Message.getTSIG().  Mapping this to a key (comparing the name and algorithm) and verifying the signature can be done in your application.  There's code in jnamed which does this, and can be used for reference.

        TSIGRecord queryTSIG = query.getTSIG();
        TSIG tsig = null;
        if (queryTSIG != null) {
                tsig = (TSIG) TSIGs.get(queryTSIG.getName());
                if (tsig == null ||
                    tsig.verify(query, in, length, null) != Rcode.NOERROR)
                        return formerrMessage(in);
        }

Brian