Skip to content

Fix ACCESS_KEYS#242

Open
nicegamer7 wants to merge 1 commit into
serverless-dns:mainfrom
nicegamer7:main
Open

Fix ACCESS_KEYS#242
nicegamer7 wants to merge 1 commit into
serverless-dns:mainfrom
nicegamer7:main

Conversation

@nicegamer7
Copy link
Copy Markdown

@nicegamer7 nicegamer7 commented Feb 26, 2026

It looks like ACCESS_KEYS broke with 906e9a7 and d078ebe.

The first commit caused the following issue:

Feb 25 21:21:25 nixos rethink-dns[166512]: 2026-02-25T21:21:25.669Z W RethinkPlugin [rx.7d5dfy6dbf.kasfov5wys] unexpected err userOp RespData {
Feb 25 21:21:25 nixos rethink-dns[166512]:   isBlocked: false,
Feb 25 21:21:25 nixos rethink-dns[166512]:   flag: '',
Feb 25 21:21:25 nixos rethink-dns[166512]:   dnsPacket: null,
Feb 25 21:21:25 nixos rethink-dns[166512]:   dnsBuffer: null,
Feb 25 21:21:25 nixos rethink-dns[166512]:   stamps: {},
Feb 25 21:21:25 nixos rethink-dns[166512]:   userAuth: null,
Feb 25 21:21:25 nixos rethink-dns[166512]:   userBlocklistInfo: null,
Feb 25 21:21:25 nixos rethink-dns[166512]:   dnsResolverUrl: '',
Feb 25 21:21:25 nixos rethink-dns[166512]:   userBlocklistFlag: '',
Feb 25 21:21:25 nixos rethink-dns[166512]:   httpResponse: null
Feb 25 21:21:25 nixos rethink-dns[166512]: }
Feb 25 21:21:25 nixos rethink-dns[166512]: 2026-02-25T21:21:25.670Z E RethinkPlugin [rx.7d5dfy6dbf.kasfov5wys] exception {"data":{"isBlocked":false,"flag":"","dnsPacket":null,"dnsBuffer":null,"stamps":{},"userAuth":null,"userBlocklistInfo":null,"dnsResolverUrl":"","userBlocklistFlag":"","httpResponse":null},"isException":true,"exceptionFrom":"UserOp","exceptionStack":"DataError: Invalid key length\n    at Object.macImportKey (node:internal/crypto/mac:199:11)\n    at SubtleCrypto.importKeySync (node:internal/crypto/webcrypto:782:10)\n    at SubtleCrypto.importKey (node:internal/crypto/webcrypto:893:10)\n    at hmackey (file:///nix/store/zpnd7dljw0camvdgkc4pij51nb4c538l-rethink-dns-14f4e96-1771971412302/lib/rethink-dns/fly.mjs:4457:24)\n    at proof (file:///nix/store/zpnd7dljw0camvdgkc4pij51nb4c538l-rethink-dns-14f4e96-1771971412302/lib/rethink-dns/fly.mjs:13878:54)\n    at genInternal (file:///nix/store/zpnd7dljw0camvdgkc4pij51nb4c538l-rethink-dns-14f4e96-1771971412302/lib/rethink-dns/fly.mjs:13849:20)\n    at gen (file:///nix/store/zpnd7dljw0camvdgkc4pij51nb4c538l-rethink-dns-14f4e96-1771971412302/lib/rethink-dns/fly.mjs:13831:10)\n    at auth (file:///nix/store/zpnd7dljw0camvdgkc4pij51nb4c538l-rethink-dns-14f4e96-1771971412302/lib/rethink-dns/fly.mjs:13789:33)\n    at UserOp.exec (file:///nix/store/zpnd7dljw0camvdgkc4pij51nb4c538l-rethink-dns-14f4e96-1771971412302/lib/rethink-dns/fly.mjs:14441:25)\n    at RethinkPlugin.execute (file:///nix/store/zpnd7dljw0camvdgkc4pij51nb4c538l-rethink-dns-14f4e96-1771971412302/lib/rethink-dns/fly.mjs:18534:34)"}

After fixing the above issue, I found this issue caused by the second commit:

Feb 26 04:19:31 nixos rethink-dns[172596]: [rx.qsz7xzxqw8.9m53qxpdpq] auth: key mismatch want: [domain redacted]|[key redacted]  have: [domain redacted]|
Feb 26 04:19:31 nixos rethink-dns[172596]: [rx.qsz7xzxqw8.9m53qxpdpq] auth: key mismatch want: [domain redacted]|[key redacted] [domain redacted]|[key redacted]  have: [domain redacted]|
Feb 26 04:19:31 nixos rethink-dns[172596]: [rx.qsz7xzxqw8.9m53qxpdpq] auth: key mismatch want: [domain redacted]|[key redacted] [domain redacted]|[key redacted] [domain redacted]|[key redacted]  have: [domain redacted]|
Feb 26 04:19:31 nixos rethink-dns[172596]: [rx.qsz7xzxqw8.9m53qxpdpq] auth: stop! no matches
Feb 26 04:19:31 nixos rethink-dns[172596]: 2026-02-26T04:19:31.648Z W RethinkPlugin [rx.qsz7xzxqw8.9m53qxpdpq] unexpected err userOp RespData {
Feb 26 04:19:31 nixos rethink-dns[172596]:   isBlocked: false,
Feb 26 04:19:31 nixos rethink-dns[172596]:   flag: '',
Feb 26 04:19:31 nixos rethink-dns[172596]:   dnsPacket: null,
Feb 26 04:19:31 nixos rethink-dns[172596]:   dnsBuffer: null,
Feb 26 04:19:31 nixos rethink-dns[172596]:   stamps: {},
Feb 26 04:19:31 nixos rethink-dns[172596]:   userAuth: Outcome { status: -1, ok: false, no: true, yes: false },
Feb 26 04:19:31 nixos rethink-dns[172596]:   userBlocklistInfo: null,
Feb 26 04:19:31 nixos rethink-dns[172596]:   dnsResolverUrl: '',
Feb 26 04:19:31 nixos rethink-dns[172596]:   userBlocklistFlag: '',
Feb 26 04:19:31 nixos rethink-dns[172596]:   httpResponse: null
Feb 26 04:19:31 nixos rethink-dns[172596]: }
Feb 26 04:19:31 nixos rethink-dns[172596]: 2026-02-26T04:19:31.648Z E RethinkPlugin [rx.qsz7xzxqw8.9m53qxpdpq] exception {"data":{"isBlocked":false,"flag":"","dnsPacket":null,"dnsBuffer":null,"stamps":{},"userAuth":{"status":-1,"ok":false,"no":true,"yes":false},"userBlocklistInfo":null,"dnsResolverUrl":"","userBlocklistFlag":"","httpResponse":null},"isException":true,"exceptionFrom":"UserOp:Auth","exceptionStack":"Error: auth failed\n    at UserOp.exec (file:///nix/store/mim2jnsrvjvp7imi3bh3fshb6xk46z9z-rethink-dns-14f4e96-1771971412302/lib/rethink-dns/fly.mjs:14444:66)\n    at process.processTicksAndRejections (node:internal/process/task_queues:104:5)\n    at async RethinkPlugin.execute (file:///nix/store/mim2jnsrvjvp7imi3bh3fshb6xk46z9z-rethink-dns-14f4e96-1771971412302/lib/rethink-dns/fly.mjs:18535:19)"}

I used Claude Opus 4.6 to find solutions to these issues. This is how Claude described these issues:

  1. hmac256opts (commit 906e9a7) — length: 512 was added to the HMAC options, which breaks importKey when the raw key data is shorter than 64 bytes. Fix: omit length from hmac256opts when no argument is passed, and have hkdfhmac pass 512 explicitly.
  2. hmacsign — missing async/await on crypto.subtle.sign, causing normalize8 to receive a Promise instead of an ArrayBuffer, silently returning an empty Uint8Array. Fix: make hmacsign async and await the sign call.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nicegamer7