BadSignature: TSIG signature fails to verify. Cannot explain why

[Jeffrey Forman]

Hi All,

I'm trying to construct a dns.zone.from_xfr() call, but seem to be hitting a BadSignature exception I can't quite understand why.

For example's sake, the 'private' file generated for an hmac-sha256 key named 'formannet'

Private-key-format: v1.3

Algorithm: 163 (HMAC_SHA256)

Key: yHA3pIIxqsM+MF2qE4DgCJibY+0=

Bits: AAA=

Created: 20190313234430

Publish: 20190313234430

Activate: 20190313234430

My code is here, which generates the BadSignature Exception from the dns.zone.from_xfr(xfr) call:

#!/usr/local/bin/python3

import dns.exception

import dns.query

import dns.tsig

import dns.tsigkeyring

import dns.zone

# jforman@desktop1 ~ $ echo yHA3pIIxqsM+MF2qE4DgCJibY+0= | base64

# eUhBM3BJSXhxc00rTUYycUU0RGdDSmliWSswPQo=

mykeyring = dns.tsigkeyring.from_text({

    'formannet': 'eUhBM3BJSXhxc00rTUYycUU0RGdDSmliWSswPQo='})

xfr = dns.query.xfr(

    '10.30.20.1',

    '20.30.10.in-addr.arpa',

    port=53,

    keyring=mykeyring,

    keyalgorithm='hmac-sha256')

zone = dns.zone.from_xfr(xfr)

print("zone: %s" % zone)

What am I missing here that my TSIG signature failures to verify? Any help is greatly appreciated.

Thanks,

Jeff

[Bob Halley]

Well, the key in your file, yHA3pIIxqsM+MF2qE4DgCJibY+0=, looks like base64 already.  But then you run it through base64 again and give the doubly encoded version eUhBM3BJSXhxc00rTUYycUU0RGdDSmliWSswPQo= to dnspython.  Try giving dnspython yHA3pIIxqsM+MF2qE4DgCJibY+0= instead, and let it decode that base64 to the key.

[Jeffrey Forman]

Bob,

I realized I was doing that incorrectly (and thought I had tried that in earlier testing), but seems even just passing in the key itself still returns BadSignature:

https://gist.github.com/jforman/5f7b4c2f583751ffafe4fed289cb76bd

[Jeffrey Forman]

I did a bit of further debugging-by-print statements, and I am tripping the "our_mac != mac" conditional. Printing both, this is what I get. 

our_mac: b'\r\xeedQ\x13\x06\x07\xdbA\x91\x88B|\x1105\xe5)\xf6\xfb\xc1e\xf3\xb5H)t\x00(y\xba\xef'

mac: b'\x8a+\x04J\x00\xfc!\x15\xe4@\xa4*R\xdd\xc1\xf6\xf2\x18\xdd\xe1t\x06\xd8\xac\xbc\x1e\xb4,\x80\xcf\x80\x93'

Given this part of the code hasn't changed in several years, I'm not quite sure how to proceed further.

[Bob Halley]

Debugging TSIG issues is often tough.  If you can create a replication recipe like "configure BIND (or whatever) as follows, and then run this dnspython program" and then open an issue for it on github, we can investigate in more detail.

[Jeffrey Forman]

Done: https://github.com/rthalley/dnspython/issues/355

Thanks,