Re: Using the TSIG key to verify which client is sending the request

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On May 26, 2011, at 12:17 PM, Luis Silva wrote:

> One of the parameter in the 
>> tsig.verify(query, in, length, null)
> 
> is the query. Is it possible to make the verification without the complete message?
> 
> Thanks,
> Luis

No, the signature is computed over the entire message, so you need the entire message to verify it.

Brian

> On Thu, May 26, 2011 at 6:18 PM, Brian Wellington <bwe...@xb...> wrote:
> 
> On May 26, 2011, at 7:23 AM, Luis Silva wrote:
> 
>> It worked, thanks.
>> 
>> I've checked the algorithm and it requires the analyses of the complete message. Is that correct?
> 
> I don't understand what you're asking.
> 
> Brian
> 
> 
>> On Wed, May 25, 2011 at 6:47 PM, Brian Wellington <bwe...@xb...> wrote:
>> 
>> On May 25, 2011, at 3:52 AM, Luis Silva wrote:
>> 
>> > I'm receiving in my DNS java server application a DNS query with a TSIG record. Is it possible to extract the TSIG key from this record and verifies the client based on the TSIG?
>> 
>> It is possible to extract the TSIG record from the message, using Message.getTSIG().  Mapping this to a key (comparing the name and algorithm) and verifying the signature can be done in your application.  There's code in jnamed which does this, and can be used for reference.
>> 
>>        TSIGRecord queryTSIG = query.getTSIG();
>>        TSIG tsig = null;
>>        if (queryTSIG != null) {
>>                tsig = (TSIG) TSIGs.get(queryTSIG.getName());
>>                if (tsig == null ||
>>                    tsig.verify(query, in, length, null) != Rcode.NOERROR)
>>                        return formerrMessage(in);
>>        }
>> 
>> Brian
>> 
> 
> 