dnssec-keygen unknown algorithm HMAC-MD5
-
Hi there,
i am trying to setup dynamics dns (rfc2136 with bind) per the manual (https://docs.netgate.com/pfsense/en/latest/book/thirdparty/configure-bind-for-rfc2136.html).
when trying to generate the host key with dnssec-keygen i get an error:
code:dnssec-keygen -K /etc/namedb/keys -a HMAC-MD5 -b 128 -n HOST myhost.dyn.example.com.
error:
dnssec-keygen: fatal: unknown algorithm HMAC-MD5
How do i generate a host key?
Tried different things, al result in the error.
- "-T key " operator
- different bitrates
- different TSIG algorithms (https://linux.die.net/man/8/dnssec-keygen)
dnssec-keygen version: Version: 9.14.9
BIND version: 9.14_4
pfsense version: 2.4.5 -
root@ns3319588:~/test# named -v BIND 9.11.5-P4-5.1+deb10u1-Debian (Extended Support Version) <id:998753c> root@ns3319588:~/test# dnssec-keygen -K . -a HMAC-MD5 -b 128 -n HOST myhost.dyn.example.com. Kmyhost.dyn.example.com.+157+4917 root@ns3319588:~/test# ls -al total 16 drwxr-xr-x 2 root root 4096 May 25 18:04 . drwx------ 7 root root 4096 May 25 18:04 .. -rw------- 1 root root 66 May 25 18:04 Kmyhost.dyn.example.com.+157+49176.key -rw------- 1 root root 165 May 25 18:04 Kmyhost.dyn.example.com.+157+49176.private
You are running bind on pfSense ?
I'm using it on some dedicated server that is also my domain master name server.root@ns3319588:~/test# apt-file search dnssec-keygen bind9-doc: /usr/share/doc/bind9-doc/arm/man.dnssec-keygen.html bind9utils: /usr/sbin/dnssec-keygen bind9utils: /usr/sbin/dnssec-keygen-pkcs11 bind9utils: /usr/share/man/man8/dnssec-keygen.8.gz
root@ns3319588:~/test# apt-file search dnssec-keygen bind9-doc: /usr/share/doc/bind9-doc/arm/man.dnssec-keygen.html bind9utils: /usr/sbin/dnssec-keygen bind9utils: /usr/sbin/dnssec-keygen-pkcs11 bind9utils: /usr/share/man/man8/dnssec-keygen.8.gz
What about installing the native FreeBSD package bind9utils ?
pkg install bind-tools-9.14.12
( current with pfSense 2.4.5 - FreeBSD 11.3 )
-
correct command is
tsig-keygen
:# tsig-keygen -a HMAC-MD5 myhost.dyn.example.com. key "myhost.dyn.example.com." { algorithm hmac-md5; secret "2IGG/tbbiMXUwdoHNUxigQ=="; };
-
@Gertjan said in dnssec-keygen unknown algorithm HMAC-MD5:
You are running bind on pfSense ?
yes
BIND 9.14.12 (Stable Release) <id:f3dc26e>
What about installing the native FreeBSD package bind9utils ?
pkg install bind-tools-9.14.12
( current with pfSense 2.4.5 - FreeBSD 11.3 )
tnx for the suggestion for a other machine with BIND just for this.
@viktor_g said in dnssec-keygen unknown algorithm HMAC-MD5:
correct command is
tsig-keygen
:# tsig-keygen -a HMAC-MD5 myhost.dyn.example.com. key "myhost.dyn.example.com." { algorithm hmac-md5; secret "2IGG/tbbiMXUwdoHNUxigQ=="; };
tnx. tsig-keygen works!
// the netgate docs should be updated with this.
-
@rayures said in dnssec-keygen unknown algorithm HMAC-MD5:
// the netgate docs should be updated with this.
The doc is based on the philosophy that pfSense is a firewall router, using RFC 2136 to make it's WAN IP known by using updating a (master) domain name server.
These domain name servers, references by there NS records, normally have very static IP's - not the iones that RFC 2136 imply.
Also, file, web and media servers (services) do not belong on a firewall.True, one can install 'bind' and use it as a local (master ?) name server. But : should it ?
The doc, as stated above, shows the real-live scenario, how RFC 2136 is (more) normally implemented.Btw : the acme package use an API that uses bind's "nsupdate", a somewhat identical remote record updating mechanism.
-
No matter the philosophy de docs are based on, it contains old(?) and inaccurate information. It should be updated.
// i got it al working now via GUI. kinda easy if you now how.
for future reference:
- generate key via pfsense command prompt [diagnostics / command prompt / exceture shell command]
command:
tsig-keygen -a HMAC-SHA512 example.com
output:
key "example.com" { algorithm hmac-sha512; secret "VERYLONGSECRETKEY=="; };
-
paste output in BIND global settings [services - bind dns server - settings - show advanced options - advanced features - global settings]
-
edit your BIND Zone [ services - bind dns server - Zones]
- enable 'update policy': grant example.com self example.com ANY; //beware: this could break ACME updates
- save
- add RFC2136 client [services - dynamic dns - RFC2136 clients]
- enable
- interface: WAN
- Hostname: example.com
- Key name: example.com
- Key Algo: HMAC-SHA512
- key: VERYLONGSECRETKEY==
- Server: 127.0.0.1 //server where BIND is running;
- Use Public IP: enable // if necessary
- Description: what you want
- Save
- Look at the logs [Status - Sytem Logs - System - DNS Resolver]
see something like:
update: info: client @0x802e58e00 192.168.0.2#63676/key example.com: view default: updating zone 'example.com/IN': adding an RR at 'example.com' A 123.123.123.123
celebrate :-)
- for test purposes use DNS lookup [Diagnostics - DNS Lookup]
- hostname: example.com
see resulting IP adress from A record.
//small update because i had issues with ACME updates after this.
generated an extra key for acme updates and added it to BIND global settings (see 2.)
tsig-keygen -a HMAC-SHA512 acme-update
add the keyname and secret to your ACME certificate options under 'method - DNS-NSupdate/RFC2136'
add to BIND zone update-policy:
grant "example.com" selfsub example.com A; grant "acme-update" name _acme-challenge.example.com TXT;
the ddns key can only update the A record, and ACME can only update the TXT record.
- generate key via pfsense command prompt [diagnostics / command prompt / exceture shell command]
-
@rayures said in dnssec-keygen unknown algorithm HMAC-MD5:
tsig-keygen -a HMAC-SHA512 example.com
Which version of pfSense/FreeBSD you have?
tsig-keygen -a HMAC-SHA512 host.example.com
gives me
tsig-keygen: Command not found.
and
dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST host.example.com
gives
dnssec-keygen: fatal: unknown algorithm HMAC-SHA512
Am I missing somethning?
-
@lelik67 said in dnssec-keygen unknown algorithm HMAC-MD5:
Am I missing somethning?
It was available, tsig-keygen
Not any more in 2.4.5-p1 .... ?I can just subscribe to your @metoo
-
@lelik67 said in dnssec-keygen unknown algorithm HMAC-MD5:
tsig-keygen -a HMAC-SHA512 host.example.com
pfSense 2.4.5-p1, bind pkg 9.14_4:
[2.4.5-RELEASE][root@pf245p1.lab.int]/root: tsig-keygen -a HMAC-SHA512 host.example.com key "host.example.com" { algorithm hmac-sha512; secret "7ZhDCogKtFOXdcQeanXCApoKeeqM3Wf7h7oZGTy1Vk+F6ecQjOleMoEE8ikzNdpIAElEbWqnedyuxddmXUxtRw=="; };
-
@viktor_g said in dnssec-keygen unknown algorithm HMAC-MD5:
tsig-keygen -a HMAC-SHA512 host.example.com
Interesting :
[2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: tsig-keygen -a HMAC-SHA512 host.example.com tsig-keygen: Command not found.
I should login as root ?
-
@Gertjan try
/usr/local/sbin/tsig-keygen
-
I already looked over there.
No tsig-keygen
Neither elsewhere.A
grep -R 'tsig-keygen' *
goes 'unknown'.
Is it part of a 'dns-tools' FreeBSD package ?
-
@Gertjan it's part of the pfSense-pkg-bind package
-
Ok, .....
[2.4.5-RELEASE][root@priv.brit-hotel-fumel.net]/root: pkg install pfSense-pkg-bind Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. The following 3 package(s) will be affected (of 0 checked): New packages to be INSTALLED: bind914: 9.14.12 [pfSense] lmdb: 0.9.24_1,1 [pfSense] pfSense-pkg-bind: 9.14_4 [pfSense] Number of packages to be installed: 3 The process will require 17 MiB more space. 3 MiB to be downloaded. Proceed with this action? [y/N]: N
This also installs bind ?
-
@Gertjan Right
-
# pkg info -l bind914 | grep tsig-keygen /usr/local/man/man8/tsig-keygen.8.gz /usr/local/sbin/tsig-keygen
-
Ok, thanks.
As I said at the beginning of this thread : I'm using a remote bind server to do the rfc2136 - so I do have the tools ( dnssec-keygen on the bind server == not pfSense) that does the work for me.
@rayures has a point, that, I can't deny.