fail to create ns secret

[adrienb4]

Hi

We can't generate a ns secret.

Logs :

django.db.utils.DataError: (1406, "Data too long for column 'nameserver_update_secret' at row 1")

HMAC_SHA512 secret need to have a length to 89, but you set it to 88 in the last migration file.

Commit 0a625d6

Thx

[ThomasWaldmann]

@elnappo ^^^

[elnappo]

Hmm, we haven't changed the length of this field. It was always 88
https://github.com/nsupdate-info/nsupdate.info/blob/master/src/nsupdate/main/models.py#L103
https://github.com/nsupdate-info/nsupdate.info/search?q=nameserver_update_secret&unscoped_q=nameserver_update_secret

[adrienb4]

In my case all HMAC-SHA512 secrets have 89 for length.
I recently upgraded nsupdate and now I can't add new domains.
All domains secret are been generated by nsupdate before upgrading.

[elnappo]

On nsupdate.info my nameserver update secrets are 88 chars long. @ThomasWaldmann do you have an idea?

[ThomasWaldmann]

I tried to add a new domain: len = 88

Then I created a new configuration / new secret for the same domain: len = 88, too.

So, I can't reproduce.

[ThomasWaldmann]

@adrienb4 how do your generated secrets look like?

[ThomasWaldmann]

is it related to #447?

[adrienb4]

For example with a domain secret created by nsupdate :

SmtQUHpzWW5mZlZRNkdnYmJabnBFQ01nc21hN3VrekZGTWR0RVU2RjVZOGtXdlJaNDR4SkIzQkZIRVE0SDZGTQ==

Len is 89.

[adrienb4]

I just generated a new secret domain in CLI :

dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST tata.dyn.toto.fr

Len is 89 too

uP4TqSMiUQUkPrInsaI77WH6up28yKI+36Kp44Aq3e9P+JDQ4toXpCRxCTkU8lhSJyLL6lGbXgoX6WWNjOB/AQ==

[adrienb4]

Hummm as much for me :/

echo -n 'uP4TqSMiUQUkPrInsaI77WH6up28yKI+36Kp44Aq3e9P+JDQ4toXpCRxCTkU8lhSJyLL6lGbXgoX6WWNjOB/AQ==' | wc -c
88

echo 'uP4TqSMiUQUkPrInsaI77WH6up28yKI+36Kp44Aq3e9P+JDQ4toXpCRxCTkU8lhSJyLL6lGbXgoX6WWNjOB/AQ==' | wc -c
89

Vscode misled me in error. The first character is 1 not 0.

[adrienb4]

We have found the origin of the problem.

We think when you have upgrade Django to 2.2.9, you introduce a bug with domain secret.
Django tries to update domain secret with a wrong format. The expected format is a string, however we have a binary.

Domain secret in str mode has a length of 88. In binary mode the length is 91.

I also discovered that sqlite was not looking at the size of these fields.... You can put more than 88 characters in this case. Not possible with MySQL (my backend).

See : https://sqlite.org/faq.html#q9

[ThomasWaldmann]

ok, guess it is fixed by #454 - but do we now have invalid secret data in the (sqlite) db?
and why did that even work when reading b'...' from the db?

[brice-gros]

good point, I assume that switching from django 1 to 2, make the secrets in sqlite invalid anyway, invalidating any comparison string vs bytes.
By the way, regarding #445, switching from sqlite to postgresql (or mysql), won't be possible either, due to the insertion failing since the varchar's max length constraint is not respected.
So, a migration step verifying and fixing nameserver_update_secret would fix the whole issue, I guess