dnssec-keygen unknown algorithm HMAC-MD5
-
correct command is
tsig-keygen:# tsig-keygen -a HMAC-MD5 myhost.dyn.example.com. key "myhost.dyn.example.com." { algorithm hmac-md5; secret "2IGG/tbbiMXUwdoHNUxigQ=="; }; -
@Gertjan said in dnssec-keygen unknown algorithm HMAC-MD5:
You are running bind on pfSense ?
yes
BIND 9.14.12 (Stable Release) <id:f3dc26e>What about installing the native FreeBSD package bind9utils ?
pkg install bind-tools-9.14.12( current with pfSense 2.4.5 - FreeBSD 11.3 )
tnx for the suggestion for a other machine with BIND just for this.
@viktor_g said in dnssec-keygen unknown algorithm HMAC-MD5:
correct command is
tsig-keygen:# tsig-keygen -a HMAC-MD5 myhost.dyn.example.com. key "myhost.dyn.example.com." { algorithm hmac-md5; secret "2IGG/tbbiMXUwdoHNUxigQ=="; };tnx. tsig-keygen works!
// the netgate docs should be updated with this.
-
@rayures said in dnssec-keygen unknown algorithm HMAC-MD5:
// the netgate docs should be updated with this.
The doc is based on the philosophy that pfSense is a firewall router, using RFC 2136 to make it's WAN IP known by using updating a (master) domain name server.
These domain name servers, references by there NS records, normally have very static IP's - not the iones that RFC 2136 imply.
Also, file, web and media servers (services) do not belong on a firewall.True, one can install 'bind' and use it as a local (master ?) name server. But : should it ?
The doc, as stated above, shows the real-live scenario, how RFC 2136 is (more) normally implemented.Btw : the acme package use an API that uses bind's "nsupdate", a somewhat identical remote record updating mechanism.
-
No matter the philosophy de docs are based on, it contains old(?) and inaccurate information. It should be updated.
// i got it al working now via GUI. kinda easy if you now how.
for future reference:
- generate key via pfsense command prompt [diagnostics / command prompt / exceture shell command]
command:
tsig-keygen -a HMAC-SHA512 example.comoutput:
key "example.com" { algorithm hmac-sha512; secret "VERYLONGSECRETKEY=="; };-
paste output in BIND global settings [services - bind dns server - settings - show advanced options - advanced features - global settings]
-
edit your BIND Zone [ services - bind dns server - Zones]
- enable 'update policy': grant example.com self example.com ANY; //beware: this could break ACME updates
- save
- add RFC2136 client [services - dynamic dns - RFC2136 clients]
- enable
- interface: WAN
- Hostname: example.com
- Key name: example.com
- Key Algo: HMAC-SHA512
- key: VERYLONGSECRETKEY==
- Server: 127.0.0.1 //server where BIND is running;
- Use Public IP: enable // if necessary
- Description: what you want
- Save
- Look at the logs [Status - Sytem Logs - System - DNS Resolver]
see something like:
update: info: client @0x802e58e00 192.168.0.2#63676/key example.com: view default: updating zone 'example.com/IN': adding an RR at 'example.com' A 123.123.123.123celebrate :-)
- for test purposes use DNS lookup [Diagnostics - DNS Lookup]
- hostname: example.com
see resulting IP adress from A record.
//small update because i had issues with ACME updates after this.
generated an extra key for acme updates and added it to BIND global settings (see 2.)
tsig-keygen -a HMAC-SHA512 acme-updateadd the keyname and secret to your ACME certificate options under 'method - DNS-NSupdate/RFC2136'
add to BIND zone update-policy:
grant "example.com" selfsub example.com A; grant "acme-update" name _acme-challenge.example.com TXT;the ddns key can only update the A record, and ACME can only update the TXT record.
- generate key via pfsense command prompt [diagnostics / command prompt / exceture shell command]
-
@rayures said in dnssec-keygen unknown algorithm HMAC-MD5:
tsig-keygen -a HMAC-SHA512 example.com
Which version of pfSense/FreeBSD you have?
tsig-keygen -a HMAC-SHA512 host.example.comgives me
tsig-keygen: Command not found.and
dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST host.example.comgives
dnssec-keygen: fatal: unknown algorithm HMAC-SHA512Am I missing somethning?
-
@lelik67 said in dnssec-keygen unknown algorithm HMAC-MD5:
Am I missing somethning?
It was available, tsig-keygen
Not any more in 2.4.5-p1 .... ?I can just subscribe to your @metoo
-
@lelik67 said in dnssec-keygen unknown algorithm HMAC-MD5:
tsig-keygen -a HMAC-SHA512 host.example.com
pfSense 2.4.5-p1, bind pkg 9.14_4:
[2.4.5-RELEASE][root@pf245p1.lab.int]/root: tsig-keygen -a HMAC-SHA512 host.example.com key "host.example.com" { algorithm hmac-sha512; secret "7ZhDCogKtFOXdcQeanXCApoKeeqM3Wf7h7oZGTy1Vk+F6ecQjOleMoEE8ikzNdpIAElEbWqnedyuxddmXUxtRw=="; }; -
@viktor_g said in dnssec-keygen unknown algorithm HMAC-MD5:
tsig-keygen -a HMAC-SHA512 host.example.com
Interesting :
[2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: tsig-keygen -a HMAC-SHA512 host.example.com tsig-keygen: Command not found.I should login as root ?
-
@Gertjan try
/usr/local/sbin/tsig-keygen -
I already looked over there.
No tsig-keygen
Neither elsewhere.A
grep -R 'tsig-keygen' *goes 'unknown'.
Is it part of a 'dns-tools' FreeBSD package ?
-
@Gertjan it's part of the pfSense-pkg-bind package
-
Ok, .....
[2.4.5-RELEASE][root@priv.brit-hotel-fumel.net]/root: pkg install pfSense-pkg-bind Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. The following 3 package(s) will be affected (of 0 checked): New packages to be INSTALLED: bind914: 9.14.12 [pfSense] lmdb: 0.9.24_1,1 [pfSense] pfSense-pkg-bind: 9.14_4 [pfSense] Number of packages to be installed: 3 The process will require 17 MiB more space. 3 MiB to be downloaded. Proceed with this action? [y/N]: NThis also installs bind ?
-
@Gertjan Right
-
# pkg info -l bind914 | grep tsig-keygen /usr/local/man/man8/tsig-keygen.8.gz /usr/local/sbin/tsig-keygen -
Ok, thanks.
As I said at the beginning of this thread : I'm using a remote bind server to do the rfc2136 - so I do have the tools ( dnssec-keygen on the bind server == not pfSense) that does the work for me.
@rayures has a point, that, I can't deny.
