community
/
dns
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Document SetTsig() needs to be final RRset change (#544) 

I spent several hours trying to figure out why my TSIG signatures were
failing on requests to a server.  I finally discovered this little
detail in the RFC which turned out to be my whole problem.  Amending the
documentation to hopefully spare others the same confusion.

    If an incoming message contains a TSIG record, it MUST be the last
    record in the additional section.

RFC2845 3.2
This commit is contained in:
David McNett 2017-10-30 01:55:49 -05:00 committed by Miek Gieben
parent 822ae18e71
commit a5852667e3
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
doc.go
View File

@ -168,6 +168,11 @@ Basic use pattern when querying with a TSIG name "axfr." (note that these key na
must be fully qualified - as they are domain names) and the base64 secret
"so6ZGir4GPAqINNh9U5c3A==":
If an incoming message contains a TSIG record it MUST be the last record in
the additional section (RFC2845 3.2). This means that you should make the
call to SetTsig last, right before executing the query. If you make any
changes to the RRset after calling SetTsig() the signature will be incorrect.
c := new(dns.Client)
c.TsigSecret = map[string]string{"axfr.": "so6ZGir4GPAqINNh9U5c3A=="}
m := new(dns.Msg)