File 8945-inet_dns_tsig-compute-MAC-using-senders-timestamp-no.patch of Package erlang
From 656a3b1b45b608f6adbb28fdb556f0e15c77c0a0 Mon Sep 17 00:00:00 2001
From: Alexander Clouter <alex@digriz.org.uk>
Date: Wed, 3 Sep 2025 18:35:25 +0100
Subject: [PATCH 5/5] inet_dns_tsig: compute MAC using senders timestamp, not
ours
This resolves the racey {notauth,badsig} errors seen. Before this could
be seen on a tight loop after about 100 client queries. With the fix, no
issue seen after making 10k requests.
---
lib/kernel/src/inet_dns_tsig.erl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/kernel/src/inet_dns_tsig.erl b/lib/kernel/src/inet_dns_tsig.erl
index 41bea4cb3f..88fdad2b2a 100644
--- a/lib/kernel/src/inet_dns_tsig.erl
+++ b/lib/kernel/src/inet_dns_tsig.erl
@@ -243,10 +243,10 @@ do_verify(Pkt, _Response, TS, TSigRR) ->
]),
MACCalc = if
element(1, TS#tsig_state.mac) == ?MODULE ->
- mac(PktS, TS, Error, Now, OtherData);
+ mac(PktS, TS, Error, NowSigned, OtherData);
%% RFC8945, section 5.3.1: TSIG on TCP Connections
true ->
- mac(TS, Error, Now, OtherData)
+ mac(TS, Error, NowSigned, OtherData)
end,
if
%% RFC8945, section 5.2 - MUST check time after MAC
--
2.51.0