Re: Using the TSIG key to verify which client is sending the request

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On May 26, 2011, at 7:23 AM, Luis Silva wrote:

> It worked, thanks.
> 
> I've checked the algorithm and it requires the analyses of the complete message. Is that correct?

I don't understand what you're asking.

Brian

> On Wed, May 25, 2011 at 6:47 PM, Brian Wellington <bwe...@xb...> wrote:
> 
> On May 25, 2011, at 3:52 AM, Luis Silva wrote:
> 
> > I'm receiving in my DNS java server application a DNS query with a TSIG record. Is it possible to extract the TSIG key from this record and verifies the client based on the TSIG?
> 
> It is possible to extract the TSIG record from the message, using Message.getTSIG().  Mapping this to a key (comparing the name and algorithm) and verifying the signature can be done in your application.  There's code in jnamed which does this, and can be used for reference.
> 
>        TSIGRecord queryTSIG = query.getTSIG();
>        TSIG tsig = null;
>        if (queryTSIG != null) {
>                tsig = (TSIG) TSIGs.get(queryTSIG.getName());
>                if (tsig == null ||
>                    tsig.verify(query, in, length, null) != Rcode.NOERROR)
>                        return formerrMessage(in);
>        }
> 
> Brian
> 