[#4326] Added log and ChangeLog entry

author Francis Dupont <fdupont@isc.org>

Tue, 3 Mar 2026 14:42:26 +0000 (15:42 +0100)

committer Francis Dupont <fdupont@isc.org>

Sat, 23 May 2026 17:53:48 +0000 (19:53 +0200)
author Francis Dupont <fdupont@isc.org>
Tue, 3 Mar 2026 14:42:26 +0000 (15:42 +0100)
committer Francis Dupont <fdupont@isc.org>
Sat, 23 May 2026 17:53:48 +0000 (19:53 +0200)
diff --git a/changelog_unreleased/4326-workaround-flag-for-gss-tsig-dns b/changelog_unreleased/4326-workaround-flag-for-gss-tsig-dns

new file mode 100644 (file)

index 0000000..a39d238
--- /dev/null
+++ b/changelog_unreleased/4326-workaround-flag-for-gss-tsig-dns
@@ -0,0 +1,5 @@
+[func]         fdupont
+       Added the "ignore-bad-direction" workaround flag to
+       the GSS-TSIG hook library to accept DNS update responses
+       with the request signature sent by bogus servers.
+       (Gitlab #4326)
diff --git a/src/hooks/d2/gss_tsig/gss_tsig_api.cc b/src/hooks/d2/gss_tsig/gss_tsig_api.cc

index 662289c85262dde02f90471d4c9175a152888017..e6f4b8f8492697cf3cf4f690a8c3b3989b4a7f41 100644 (file)
--- a/src/hooks/d2/gss_tsig/gss_tsig_api.cc
+++ b/src/hooks/d2/gss_tsig/gss_tsig_api.cc
@@ -7,6 +7,8 @@
  #include <config.h>
  
  #include <gss_tsig_api.h>
+#include <gss_tsig_log.h>
+#include <gss_tsig_messages.h>
  #include <cstring>
  #include <limits>
  #include <sstream>
@@ -369,6 +371,7 @@ GssApiSecCtx::verify(GssApiBuffer& gmessage, GssApiBuffer& gsig) {
              (err_msg.find("wrong direction") != string::npos)
  #endif
              ) {
+            LOG_INFO(gss_tsig_logger, GSS_TSIG_IGNORED_BAD_DIRECTION);
              return;
          }
          setLastError(major);
diff --git a/src/hooks/d2/gss_tsig/gss_tsig_messages.cc b/src/hooks/d2/gss_tsig/gss_tsig_messages.cc

index eecfebd5c0530ef7309d49f0cac358a2e97abc5c..6971053c786e17450b2598653f403ecb3ed80f95 100644 (file)
--- a/src/hooks/d2/gss_tsig/gss_tsig_messages.cc
+++ b/src/hooks/d2/gss_tsig/gss_tsig_messages.cc
@@ -9,6 +9,7 @@ namespace gss_tsig {
  
  extern const isc::log::MessageID BAD_CLIENT_CREDENTIALS = "BAD_CLIENT_CREDENTIALS";
  extern const isc::log::MessageID GSS_TSIG_COMMAND_PROCESSED_FAILED = "GSS_TSIG_COMMAND_PROCESSED_FAILED";
+extern const isc::log::MessageID GSS_TSIG_IGNORED_BAD_DIRECTION = "GSS_TSIG_IGNORED_BAD_DIRECTION";
  extern const isc::log::MessageID GSS_TSIG_LOAD_FAILED = "GSS_TSIG_LOAD_FAILED";
  extern const isc::log::MessageID GSS_TSIG_LOAD_OK = "GSS_TSIG_LOAD_OK";
  extern const isc::log::MessageID GSS_TSIG_MANAGER_STARTED = "GSS_TSIG_MANAGER_STARTED";
@@ -64,6 +65,7 @@ namespace {
  const char* values[] = {
      "BAD_CLIENT_CREDENTIALS", "bad client credentials: %1",
      "GSS_TSIG_COMMAND_PROCESSED_FAILED", "command_processed callout failed: %1.",
+    "GSS_TSIG_IGNORED_BAD_DIRECTION", "ignored bad direction verify failure.",
      "GSS_TSIG_LOAD_FAILED", "GSS-TSIG hooks library failed to load: %1.",
      "GSS_TSIG_LOAD_OK", "GSS-TSIG hooks library loaded successfully.",
      "GSS_TSIG_MANAGER_STARTED", "hooks library GSS-TSIG key periodic manager started.",
diff --git a/src/hooks/d2/gss_tsig/gss_tsig_messages.h b/src/hooks/d2/gss_tsig/gss_tsig_messages.h

index 98cac94050262ecdd44ce9988a0f893ac2791ac6..2dffae4c1e8c26de1fe92f27f9b57cb8e9436019 100644 (file)
--- a/src/hooks/d2/gss_tsig/gss_tsig_messages.h
+++ b/src/hooks/d2/gss_tsig/gss_tsig_messages.h
@@ -10,6 +10,7 @@ namespace gss_tsig {
  
  extern const isc::log::MessageID BAD_CLIENT_CREDENTIALS;
  extern const isc::log::MessageID GSS_TSIG_COMMAND_PROCESSED_FAILED;
+extern const isc::log::MessageID GSS_TSIG_IGNORED_BAD_DIRECTION;
  extern const isc::log::MessageID GSS_TSIG_LOAD_FAILED;
  extern const isc::log::MessageID GSS_TSIG_LOAD_OK;
  extern const isc::log::MessageID GSS_TSIG_MANAGER_STARTED;
diff --git a/src/hooks/d2/gss_tsig/gss_tsig_messages.mes b/src/hooks/d2/gss_tsig/gss_tsig_messages.mes

index 17f6ef5f2aefc63cb27a973ebd1d6d1d1cc37d48..98c747041ecfaeb1f91bda0f38182c94d6a1a0b2 100644 (file)
--- a/src/hooks/d2/gss_tsig/gss_tsig_messages.mes
+++ b/src/hooks/d2/gss_tsig/gss_tsig_messages.mes
@@ -15,6 +15,10 @@ TKEY lifetime. The argument details the error.
  This error message is issued when the callout for the command_processed
  callout point failed. The argument contains a reason for the error.
  
+% GSS_TSIG_IGNORED_BAD_DIRECTION ignored bad direction verify failure.
+This info message indicates that a verify failed because the message
+was in the wrong direction but this failure was ignored.
+
  % GSS_TSIG_LOAD_FAILED GSS-TSIG hooks library failed to load: %1.
  This error message indicates that an error occurred attempting to
  load the GSS-TSIG hooks library. The argument details the error.
author	Francis Dupont <fdupont@isc.org>
	Tue, 3 Mar 2026 14:42:26 +0000 (15:42 +0100)
committer	Francis Dupont <fdupont@isc.org>
	Sat, 23 May 2026 17:53:48 +0000 (19:53 +0200)
changelog_unreleased/4326-workaround-flag-for-gss-tsig-dns	[new file with mode: 0644]	patch \| blob
src/hooks/d2/gss_tsig/gss_tsig_api.cc		patch \| blob \| blame \| history
src/hooks/d2/gss_tsig/gss_tsig_messages.cc		patch \| blob \| blame \| history
src/hooks/d2/gss_tsig/gss_tsig_messages.h		patch \| blob \| blame \| history
src/hooks/d2/gss_tsig/gss_tsig_messages.mes		patch \| blob \| blame \| history