dnssec-keygen unknown algorithm HMAC-MD5

Gertjan

@lelik67 said in dnssec-keygen unknown algorithm HMAC-MD5:

Am I missing somethning?

It was available, tsig-keygen
Not any more in 2.4.5-p1 .... ?

I can just subscribe to your @metoo

viktor_g

@lelik67 said in dnssec-keygen unknown algorithm HMAC-MD5:

tsig-keygen -a HMAC-SHA512 host.example.com

pfSense 2.4.5-p1, bind pkg 9.14_4:

[2.4.5-RELEASE][root@pf245p1.lab.int]/root: tsig-keygen -a HMAC-SHA512 host.example.com
key "host.example.com" {
	algorithm hmac-sha512;
	secret "7ZhDCogKtFOXdcQeanXCApoKeeqM3Wf7h7oZGTy1Vk+F6ecQjOleMoEE8ikzNdpIAElEbWqnedyuxddmXUxtRw==";
};

Gertjan

@viktor_g said in dnssec-keygen unknown algorithm HMAC-MD5:

tsig-keygen -a HMAC-SHA512 host.example.com

Interesting :

[2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: tsig-keygen -a HMAC-SHA512 host.example.com
tsig-keygen: Command not found.

I should login as root ?

viktor_g

@Gertjan try /usr/local/sbin/tsig-keygen

Gertjan

I already looked over there.
No tsig-keygen
Neither elsewhere.

A

grep -R 'tsig-keygen' *

goes 'unknown'.

Is it part of a 'dns-tools' FreeBSD package ?

viktor_g

@Gertjan it's part of the pfSense-pkg-bind package

Gertjan

Ok, .....

[2.4.5-RELEASE][root@priv.brit-hotel-fumel.net]/root: pkg install pfSense-pkg-bind
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        bind914: 9.14.12 [pfSense]
        lmdb: 0.9.24_1,1 [pfSense]
        pfSense-pkg-bind: 9.14_4 [pfSense]

Number of packages to be installed: 3

The process will require 17 MiB more space.
3 MiB to be downloaded.

Proceed with this action? [y/N]: N

This also installs bind ?

viktor_g

@Gertjan Right

viktor_g

# pkg info -l bind914 | grep tsig-keygen
	/usr/local/man/man8/tsig-keygen.8.gz
	/usr/local/sbin/tsig-keygen

Gertjan

Ok, thanks.

As I said at the beginning of this thread : I'm using a remote bind server to do the rfc2136 - so I do have the tools ( dnssec-keygen on the bind server == not pfSense) that does the work for me.

@rayures has a point, that, I can't deny.