Failing DNS test(s) in OTP:s own test suite

cdybedahl · August 29, 2025, 9:12am

Good morning. I’m trying to add basic support for the DNSSEC RR types to OTP’s built-in DNS code, to enable things like writing a validating resolver without having to re-implement all of basic DNS. That part is going pretty well.

The part that’s not going well is that one if the existing tests in inet_res_SUITE keeps failing for me, even when if I check out a pristine copy of the OTP-28.0.1 tag and run the tests there. The specific test that fails is tsig_client, and it fails because it generates a signature that the name server started by the test suite thinks is invalid:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
inet_res_SUITE:'-tsig_client/1-fun-1-' failed on line 1517
Reason: {badmatch,{error,{notauth,badsig}}}
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I’m at a bit of a loss for how to proceed here. I assume that this test passed when Erlang was released. So maybe there is something wrong with my setup? I’m running the tests on macOS, having installed the name server (knotd) from Homebrew (and then made sure the test code could find it). But I get the same failure in Github Actions (for my own branch, not the tagged release), which should be running the exact environment specified by the OTP team.

Any suggestions?

cdybedahl · August 29, 2025, 9:43am

After looking closer, it turns out the test code uses a different TSIG key name than the corresponding name server configuration does. Which explains the failure just fine, the client is essentially trying to use a key that the server doesn’t have. Fixing this tiny issue makes the whole test suite pass just fine. So that’s good.

What’s still confusing me is that it looks in git like this problem has been there for two years, and several Erlang releases. How is that possible?

raimo · September 1, 2025, 12:42pm

We also just found this issue and are working on it.

github.com/erlang/otp

Test case for `inet_res` `TSIG` doesn't work

opened 11:55AM - 26 Aug 25 UTC

RaimoNiskanen

team:PS help wanted bug priority:medium

**Describe the bug** The test cases `inet_res_SUITE:tsig_client/1` (and maybe `i…net_res_SUITE:tsig_server/1`) sometimes fails for newer versions of Knot. When investigating this it became clear that `tsig_client/1` fails the AXFR request it intends to do because Knot returns an error code 9 (not authoritative for the requested domain). So there is no zone transfer return, and therefor no multiple TSIG signed replies, which is what the test case intends to test. Instead the server replies with a TSIG signed error, which the test case passes despite a lot of TSIG code didn't execute. On later versions on Knot it seems the error return is not signed, which fails the test. Therefore it seems the test fails occasionally in our daily tests, but the reality is that it doesn't test what it is supposed to test. **To Reproduce** Modify the test case to print the server replies, and it shows that there is no zone transfer but instead an error reply. **Expected behavior** I guess there is some tiny little Knot configuration detail that needs fixing to make Knot believe it is authoritative for the zone, but I have not found it with a quick look and search. The test case should check the result code to verify that the zone transfer is successful, in addition to verifying the TSIG signature. To facilitate this a new API function in `inet_res` is probably needed, a low level one that decodes the result code but allows to inspect the TSIG signature afterwards. **Affected versions** 28 and probably earlier **Additional context** TSIG in `inet_res` was added in PR #6985, by @jimdigriz, so you will probably figure this one out in a jiffy... ;-)

github.com/erlang/otp

inet_dns support for UPDATE, NOTIFY and TSIG

master ← jimdigriz:dns

opened 05:20PM - 06 Mar 23 UTC

jimdigriz

+1469 -164

Some proposed enhancements to `inet_dns`: * guard to catch when there is more …than one `EDNS(0)` option present as [discussed](https://github.com/erlang/otp/pull/2959#issuecomment-759405956) * support for `NOTIFY` and `UPDATE` * `UPDATE` is a little more complicated as zero length data is now allowed and a new `NONE` class * removed the `UPDATE{A,D,DA,M,MA}` to kick up a conversation if these should still exist * includes the defines for `IXFR` and a few other rcodes * Initial support for `TSIG` [suggested some time back that there would be interest to have this baked into `inet_dns.erl`](https://github.com/erlang/otp/pull/2959#issuecomment-759405956) * ~~Not yet added support for `TSIG` over TCP as [described by RFC8945, section 5.3.1](https://datatracker.ietf.org/doc/html/rfc8945#section-5.3.1); this is on my list of things to resolve though~~ - this has now been added though mostly untested I suspect none of this is particularly controversial but the `TSIG` API does need to be thrashed out. I am submitting what I see as version zero (0) and finally worth sharing around. I really would prefer the focus be on the API as the implementation will need burning and redoing a few more times from scratch as we carve out the interface. In the spirit of `inet_dns`, this is an undocumented API in that it expects the user to handle policy whilst it only sets out to handles the encoding/decoding/verification. I tried a few interface/API iterations and found having settled on passing in `#dns_rec{}` ended up being the least offensive and made the most sense from a possible user perspective but this is my view only. Similarly I tried putting this all in `inet_dns.erl` but after a while the sign/verify functionality just felt more correct in its own module, again this is my view, but it did mean I had to export the name encode/decode routines from `inet_dns` so maybe this should be folded back into `inet_dns`. Broken out of the commit so to hack out the conversation here, this is what it smells like (for a simple client expecting a single UDP response packet to its request): ``` Zone = "example.com". Name = "cheese". Request = inet_dns:make_msg([ {header,inet_dns:make_header([ {id,rand:uniform(65536) - 1}, {opcode,update} ])}, % RFC2136, section 2 {qdlist,[ % Zone inet_dns:make_dns_query([ {domain,Zone}, {class,in}, {type,soa} ]) ]}, {nslist,[ % Update inet_dns:make_rr([ {domain,Name ++ "." ++ Zone}, {ttl,300}, {class,in}, {type,a}, {data,{192,0,2,1}} ]) ]} ]). % my thinking here is to be like crypto:mac_init as we need rolling state especially for TSIG over TCP TSigState0 = inet_dns_tsig:init([{keys,[{"mykey","moocowmoocow"}]}]). {ok,RequestSigned,TSigState1} = inet_dns_tsig:sign(Request, TSigState0). RequestPkt = inet_dns:encode(RequestSigned). {ok,Sock} = gen_udp:open(0, [binary,{active,false}]). gen_udp:send(Sock, {{127,0,0,1},5354}, RequestPkt). {ok,{_,_,ResponsePkt}} = gen_udp:recv(Sock, 0). {ok,ResponseSigned} = inet_dns:decode(ResponsePkt). % will return {error,...} if something is wrong % like inet_dns:decode, will throw formerr if something is wrong with the packet...personally not a fan of this behaviour {ok,TSigState2} = inet_dns_tsig:verify(ResponseSigned, TSigState1). Response = inet_dns:msg(ResponseSigned). ``` Usage for a client (shown above and mostly tested): 1. `tsig:init/1` * configuration `algs` really is only useful as a single item as we use the first algorithm (default: `sha256`) provided * configuration `keys` really is only useful as a single item as we use the first name/secret entry 3. `tsig:sign/2` the request and send it 4. for each response packet (there can be one or typically for TCP more than one) call `tsig:verify/2` 5. ...remember to consider the gotchas/warnings in the comments at the top of `inet_dns_tsig.erl` Usage for a server (not tested as I am still in the middle of building my DNS server...will get back to you...): 1. `tsig:init/1` * configuration `algs` lists all the algorithms we are willing to support (default: only `sha256`, maybe the default for 'server' should be changed to all the algorithms) * configuration `keys` lists all the name/secret combinations that are accepted 3. call `tsig:verify/2` on the request packet 4. construct the response and call `tsig:sign/2`, sending it to the client; repeat this until the response is completely sent

The reason it hasn’t been noticed is that when accepting this feature, we didn’t notice that the test case does not verify that the requested operation (a zone transfer) succeeds, only that it has a correct TSIG signature. And up to now the test case DNS server that is used (Knot) has replied with an error reply that has a correct TSIG signature, which satisfied the test case. But it seems new (now emerging) versions of Knot doesn’t TSIG sign that error reply, and thus the test case has started to fail. But it has probably never tested the right thing; that all segments of the zone transfer are correctly TSIG signed.

cdybedahl · September 1, 2025, 1:00pm

That makes sense. I’ll wait with creating my own PR until this has been fixed. Thanks for the reply!

raimo · September 4, 2025, 1:54pm

The TSIG test case PR has now been merged to ‘maint’ and ‘master’