dnssec-keygen unknown algorithm HMAC-MD5

viktor_g

correct command is tsig-keygen:

# tsig-keygen -a HMAC-MD5 myhost.dyn.example.com.
key "myhost.dyn.example.com." {
	algorithm hmac-md5;
	secret "2IGG/tbbiMXUwdoHNUxigQ==";
};

rayures

@Gertjan said in dnssec-keygen unknown algorithm HMAC-MD5:

You are running bind on pfSense ?

yes

BIND 9.14.12 (Stable Release) <id:f3dc26e>

What about installing the native FreeBSD package bind9utils ?
pkg install bind-tools-9.14.12
( current with pfSense 2.4.5 - FreeBSD 11.3 )

tnx for the suggestion for a other machine with BIND just for this.

@viktor_g said in dnssec-keygen unknown algorithm HMAC-MD5:

correct command is tsig-keygen:

# tsig-keygen -a HMAC-MD5 myhost.dyn.example.com.
key "myhost.dyn.example.com." {
	algorithm hmac-md5;
	secret "2IGG/tbbiMXUwdoHNUxigQ==";
};

tnx. tsig-keygen works!

// the netgate docs should be updated with this.

Gertjan

@rayures said in dnssec-keygen unknown algorithm HMAC-MD5:

// the netgate docs should be updated with this.

The doc is based on the philosophy that pfSense is a firewall router, using RFC 2136 to make it's WAN IP known by using updating a (master) domain name server.
These domain name servers, references by there NS records, normally have very static IP's - not the iones that RFC 2136 imply.
Also, file, web and media servers (services) do not belong on a firewall.

True, one can install 'bind' and use it as a local (master ?) name server. But : should it ?
The doc, as stated above, shows the real-live scenario, how RFC 2136 is (more) normally implemented.

Btw : the acme package use an API that uses bind's "nsupdate", a somewhat identical remote record updating mechanism.

rayures

@Gertjan

No matter the philosophy de docs are based on, it contains old(?) and inaccurate information. It should be updated.

// i got it al working now via GUI. kinda easy if you now how.

for future reference:

generate key via pfsense command prompt [diagnostics / command prompt / exceture shell command]
command:

tsig-keygen -a HMAC-SHA512 example.com

output:

key "example.com" {
	algorithm hmac-sha512;
	secret "VERYLONGSECRETKEY==";
};

paste output in BIND global settings [services - bind dns server - settings - show advanced options - advanced features - global settings]
edit your BIND Zone [ services - bind dns server - Zones]

enable 'update policy': grant example.com self example.com ANY; //beware: this could break ACME updates
save

add RFC2136 client [services - dynamic dns - RFC2136 clients]

enable
interface: WAN
Hostname: example.com
Key name: example.com
Key Algo: HMAC-SHA512
key: VERYLONGSECRETKEY==
Server: 127.0.0.1 //server where BIND is running;
Use Public IP: enable // if necessary
Description: what you want
Save

Look at the logs [Status - Sytem Logs - System - DNS Resolver]
see something like:

update: info: client @0x802e58e00 192.168.0.2#63676/key example.com: view default: updating zone 'example.com/IN': adding an RR at 'example.com' A 123.123.123.123

celebrate :-)

for test purposes use DNS lookup [Diagnostics - DNS Lookup]

hostname: example.com
see resulting IP adress from A record.

//small update because i had issues with ACME updates after this.

generated an extra key for acme updates and added it to BIND global settings (see 2.)

tsig-keygen -a HMAC-SHA512 acme-update

add the keyname and secret to your ACME certificate options under 'method - DNS-NSupdate/RFC2136'

add to BIND zone update-policy:

grant "example.com" selfsub example.com A; grant "acme-update" name _acme-challenge.example.com TXT;

the ddns key can only update the A record, and ACME can only update the TXT record.

lelik67

@rayures said in dnssec-keygen unknown algorithm HMAC-MD5:

tsig-keygen -a HMAC-SHA512 example.com

Which version of pfSense/FreeBSD you have?

tsig-keygen -a HMAC-SHA512 host.example.com

gives me

tsig-keygen: Command not found.

and

dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST host.example.com

gives

dnssec-keygen: fatal: unknown algorithm HMAC-SHA512

Am I missing somethning?

Gertjan

@lelik67 said in dnssec-keygen unknown algorithm HMAC-MD5:

Am I missing somethning?

It was available, tsig-keygen
Not any more in 2.4.5-p1 .... ?

I can just subscribe to your @metoo

viktor_g

@lelik67 said in dnssec-keygen unknown algorithm HMAC-MD5:

tsig-keygen -a HMAC-SHA512 host.example.com

pfSense 2.4.5-p1, bind pkg 9.14_4:

[2.4.5-RELEASE][root@pf245p1.lab.int]/root: tsig-keygen -a HMAC-SHA512 host.example.com
key "host.example.com" {
	algorithm hmac-sha512;
	secret "7ZhDCogKtFOXdcQeanXCApoKeeqM3Wf7h7oZGTy1Vk+F6ecQjOleMoEE8ikzNdpIAElEbWqnedyuxddmXUxtRw==";
};

Gertjan

@viktor_g said in dnssec-keygen unknown algorithm HMAC-MD5:

tsig-keygen -a HMAC-SHA512 host.example.com

Interesting :

[2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: tsig-keygen -a HMAC-SHA512 host.example.com
tsig-keygen: Command not found.

I should login as root ?

viktor_g

@Gertjan try /usr/local/sbin/tsig-keygen

Gertjan

I already looked over there.
No tsig-keygen
Neither elsewhere.

A

grep -R 'tsig-keygen' *

goes 'unknown'.

Is it part of a 'dns-tools' FreeBSD package ?

viktor_g

@Gertjan it's part of the pfSense-pkg-bind package

Gertjan

Ok, .....

[2.4.5-RELEASE][root@priv.brit-hotel-fumel.net]/root: pkg install pfSense-pkg-bind
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        bind914: 9.14.12 [pfSense]
        lmdb: 0.9.24_1,1 [pfSense]
        pfSense-pkg-bind: 9.14_4 [pfSense]

Number of packages to be installed: 3

The process will require 17 MiB more space.
3 MiB to be downloaded.

Proceed with this action? [y/N]: N

This also installs bind ?

viktor_g

@Gertjan Right

viktor_g

# pkg info -l bind914 | grep tsig-keygen
	/usr/local/man/man8/tsig-keygen.8.gz
	/usr/local/sbin/tsig-keygen

Gertjan

Ok, thanks.

As I said at the beginning of this thread : I'm using a remote bind server to do the rfc2136 - so I do have the tools ( dnssec-keygen on the bind server == not pfSense) that does the work for me.

@rayures has a point, that, I can't deny.