Community discussions

MikroTik App
 
User avatar
dibatech
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 94
Joined: Tue Apr 04, 2006 10:14 am

DNS update tool

Mon Sep 15, 2008 8:30 am

Hi guys.

What is the difference between dns updates from version 3.10 to 3.13?
Getting in bind 9:
client 192.168.1.211#40318: request has invalid signature: TSIG rtr: tsig verify failure (BADSIG)

Wireshark produces the following results:

20 5.984007 192.168.1.100 192.168.1.211 DNS Dynamic update response, Not authoritative

Request from client: 192.168.1.211 Ver 3.13
No. Time Source Destination Protocol Info
117 51.160641 192.168.1.211 192.168.1.100 DNS Dynamic update SOA mydomain.co.za

Frame 117 (201 bytes on wire, 201 bytes captured)
Arrival Time: Sep 15, 2008 07:24:54.104046000
[Time delta from previous captured frame: 0.018543000 seconds]
[Time delta from previous displayed frame: 51.160641000 seconds]
[Time since reference or first frame: 51.160641000 seconds]
Frame Number: 117
Frame Length: 201 bytes
Capture Length: 201 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp:dns]
[Coloring Rule Name: TCP]
[Coloring Rule String: tcp]
Ethernet II, Src: Routerbo_0b:a9:9d (00:0c:42:0b:a9:9d), Dst: Intel_c2:32:c9
Destination: Intel_c2:32:c9
Address: Intel_c2:32:c9
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Routerbo_0b:a9:9d
Address: Routerbo_0b:a9:9d
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.211 (192.168.1.211), Dst: 192.168.1.100 (192.168.1.100)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 187
Identification: 0x304d (12365)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x8568 [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.211 (192.168.1.211)
Destination: 192.168.1.100 (192.168.1.100)
Transmission Control Protocol, Src Port: 34641 (34641), Dst Port: domain (53), Seq: 1, Ack: 1, Len: 135
Source port: 34641 (34641)
Destination port: domain (53)
Sequence number: 1 (relative sequence number)
[Next sequence number: 136 (relative sequence number)]
Acknowledgement number: 1 (relative ack number)
Header length: 32 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 5840 (scaled)
Checksum: 0xaf02 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Options: (12 bytes)
NOP
NOP
Timestamps: TSval 4294942912, TSecr 19622828
[PDU Size: 135]
Domain Name System (query)
[Response In: 119]
Length: 133
Transaction ID: 0xef3c
Flags: 0x2800 (Dynamic update)
0... .... .... .... = Response: Message is a query
.010 1... .... .... = Opcode: Dynamic update (5)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is unacceptable
Zones: 1
Prerequisites: 0
Updates: 2
Additional RRs: 1
Zone
mydomain.co.za: type SOA, class IN
Name: mydomain.co.za
Type: SOA (Start of zone of authority)
Class: IN (0x0001)
Updates
rtr.mydomain.co.za: type A, class ANY
Name: rtr.mydomain.co.za
Type: A (Host address)
Class: ANY (0x00ff)
Time to live: 0 time
Data length: 0
rtr.mydomain.co.za: type A, class IN, addr 192.168.1.211
Name: rtr.mydomain.co.za
Type: A (Host address)
Class: IN (0x0001)
Time to live: 1 minute
Data length: 4
Addr: 192.168.1.211
Additional records
rtr: type TSIG, class ANY
Name: rtr
Type: TSIG (Transaction Signature)
Class: ANY (0x00ff)
Time to live: 0 time
Data length: 58
Algorithm Name: HMAC-MD5.SIG-ALG.REG.INT
Time signed: Sep 15, 2008 07:24:53.000000000
Fudge: 300
MAC Size: 16
MAC
No dissector for algorithm:HMAC-MD5.SIG-ALG.REG.INT
Original Id: 61244
Error: No error (0)
Other Len: 0


Response from DNS server version 3.13:

Frame 20 (137 bytes on wire, 137 bytes captured)
Ethernet II, Src: Intel_c2:32:c9 , Dst: Routerbo_0b:a9:9d
Internet Protocol, Src: 192.168.1.100 (192.168.1.100), Dst: 192.168.1.211 (192.168.1.211)
Transmission Control Protocol, Src Port: domain (53), Dst Port: 46350 (46350), Seq: 1, Ack: 136, Len: 71
Domain Name System (response)
[Request In: 18]
[Time: 0.000189000 seconds]
Length: 69
Transaction ID: 0x41b6
Flags: 0xa809 (Dynamic update response, Not authoritative)
1... .... .... .... = Response: Message is a response
.010 1... .... .... = Opcode: Dynamic update (5)
.... .0.. .... .... = Authoritative: Server is not an authority for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... 0... .... = Recursion available: Server can't do recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
.... .... .... 1001 = Reply code: Not authoritative (9)
Zones: 0
Prerequisites: 0
Updates: 0
Additional RRs: 1
Additional records

Request from client: 192.168.1.211 Ver 3.10
No. Time Source Destination Protocol Info
6 0.018519 192.168.1.212 192.168.1.100 DNS Dynamic update SOA mydomain.co.za

Frame 6 (201 bytes on wire, 201 bytes captured)
Arrival Time: Sep 15, 2008 07:18:24.366386000
[Time delta from previous captured frame: 0.017319000 seconds]
[Time delta from previous displayed frame: 0.018519000 seconds]
[Time since reference or first frame: 0.018519000 seconds]
Frame Number: 6
Frame Length: 201 bytes
Capture Length: 201 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp:dns]
[Coloring Rule Name: TCP]
[Coloring Rule String: tcp]
Ethernet II, Src: Routerbo_0b:aa:bd (00:0c:42:0b:aa:bd), Dst: Intel_c2:32:c9
Destination: Intel_c2:32:c9
Address: Intel_c2:32:c9
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Routerbo_0b:aa:bd
Address: Routerbo_0b:aa:bd
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.212 (192.168.1.212), Dst: 192.168.1.100 (192.168.1.100)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 187
Identification: 0xceab (52907)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0xe708 [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.212 (192.168.1.212)
Destination: 192.168.1.100 (192.168.1.100)
Transmission Control Protocol, Src Port: 37692 (37692), Dst Port: domain (53), Seq: 1, Ack: 1, Len: 135
Source port: 37692 (37692)
Destination port: domain (53)
Sequence number: 1 (relative sequence number)
[Next sequence number: 136 (relative sequence number)]
Acknowledgement number: 1 (relative ack number)
Header length: 32 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 5840 (scaled)
Checksum: 0x9389 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Options: (12 bytes)
NOP
NOP
Timestamps: TSval 4294947298, TSecr 19525394
[PDU Size: 135]
Domain Name System (query)
[Response In: 8]
Length: 133
Transaction ID: 0x76d6
Flags: 0x2800 (Dynamic update)
0... .... .... .... = Response: Message is a query
.010 1... .... .... = Opcode: Dynamic update (5)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is unacceptable
Zones: 1
Prerequisites: 0
Updates: 2
Additional RRs: 1
Zone
mydomain.co.za: type SOA, class IN
Name: mydomain.co.za
Type: SOA (Start of zone of authority)
Class: IN (0x0001)
Updates
rtr.mydomain.co.za: type A, class ANY
Name: rtr.mydomain.co.za
Type: A (Host address)
Class: ANY (0x00ff)
Time to live: 0 time
Data length: 0
rtr.mydomain.co.za: type A, class IN, addr 192.168.1.212
Name: rtr.mydomain.co.za
Type: A (Host address)
Class: IN (0x0001)
Time to live: 1 minute
Data length: 4
Addr: 192.168.1.212
Additional records
rtr: type TSIG, class ANY
Name: rtr
Type: TSIG (Transaction Signature)
Class: ANY (0x00ff)
Time to live: 0 time
Data length: 58
Algorithm Name: HMAC-MD5.SIG-ALG.REG.INT
Time signed: Sep 15, 2008 07:18:24.000000000
Fudge: 300
MAC Size: 16
MAC
No dissector for algorithm:HMAC-MD5.SIG-ALG.REG.INT
Original Id: 30422
Error: No error (0)
Other Len: 0

No. Time Source Destination Protocol Info
8 0.020426 192.168.1.100 192.168.1.212 DNS Dynamic update respon

Response from DNS server version 3.10:

Frame 8 (153 bytes on wire, 153 bytes captured)
Ethernet II, Src: Intel_c2:32:c9 , Dst: Routerbo_0b:aa:bd
Internet Protocol, Src: 192.168.1.100 (192.168.1.100), Dst: 192.168.1.212 (192.168.1.212)
Transmission Control Protocol, Src Port: domain (53), Dst Port: 37692 (37692), Seq: 1, Ack: 136, Len: 87
Domain Name System (response)
[Request In: 6]
[Time: 0.001907000 seconds]
Length: 85
Transaction ID: 0x76d6
Flags: 0xa880 (Dynamic update response, No error)
1... .... .... .... = Response: Message is a response
.010 1... .... .... = Opcode: Dynamic update (5)
.... .0.. .... .... = Authoritative: Server is not an authority for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... 1... .... = Recursion available: Server can do recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
.... .... .... 0000 = Reply code: No error (0)
Zones: 0
Prerequisites: 0
Updates: 0
Additional RRs: 1
Additional records

Who is online

Users browsing this forum: bertus and 90 guests