Re: Using the TSIG key to verify which client is sending the request

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

It worked, thanks.

I've checked the algorithm and it requires the analyses of the complete
message. Is that correct?

Again, many thanks,
Luis

On Wed, May 25, 2011 at 6:47 PM, Brian Wellington <bwe...@xb...>wrote:

>
> On May 25, 2011, at 3:52 AM, Luis Silva wrote:
>
> > I'm receiving in my DNS java server application a DNS query with a TSIG
> record. Is it possible to extract the TSIG key from this record and verifies
> the client based on the TSIG?
>
> It is possible to extract the TSIG record from the message, using
> Message.getTSIG().  Mapping this to a key (comparing the name and algorithm)
> and verifying the signature can be done in your application.  There's code
> in jnamed which does this, and can be used for reference.
>
>        TSIGRecord queryTSIG = query.getTSIG();
>        TSIG tsig = null;
>        if (queryTSIG != null) {
>                tsig = (TSIG) TSIGs.get(queryTSIG.getName());
>                if (tsig == null ||
>                    tsig.verify(query, in, length, null) != Rcode.NOERROR)
>                        return formerrMessage(in);
>        }
>
> Brian