dnssec-keygen unknown algorithm HMAC-MD5



  • Hi there,

    i am trying to setup dynamics dns (rfc2136 with bind) per the manual (https://docs.netgate.com/pfsense/en/latest/book/thirdparty/configure-bind-for-rfc2136.html).

    when trying to generate the host key with dnssec-keygen i get an error:
    code:

    dnssec-keygen -K /etc/namedb/keys -a HMAC-MD5 -b 128 -n HOST myhost.dyn.example.com.
    

    error:

    dnssec-keygen: fatal: unknown algorithm HMAC-MD5
    

    How do i generate a host key?

    Tried different things, al result in the error.

    dnssec-keygen version: Version: 9.14.9
    BIND version: 9.14_4
    pfsense version: 2.4.5



  • root@ns3319588:~/test# named -v
    BIND 9.11.5-P4-5.1+deb10u1-Debian (Extended Support Version) <id:998753c>
    root@ns3319588:~/test# dnssec-keygen -K . -a HMAC-MD5 -b 128 -n HOST myhost.dyn.example.com.
    Kmyhost.dyn.example.com.+157+4917
    root@ns3319588:~/test# ls -al
    total 16
    drwxr-xr-x 2 root root 4096 May 25 18:04 .
    drwx------ 7 root root 4096 May 25 18:04 ..
    -rw------- 1 root root   66 May 25 18:04 Kmyhost.dyn.example.com.+157+49176.key
    -rw------- 1 root root  165 May 25 18:04 Kmyhost.dyn.example.com.+157+49176.private
    

    You are running bind on pfSense ?
    I'm using it on some dedicated server that is also my domain master name server.

    root@ns3319588:~/test# apt-file search dnssec-keygen
    bind9-doc: /usr/share/doc/bind9-doc/arm/man.dnssec-keygen.html
    bind9utils: /usr/sbin/dnssec-keygen
    bind9utils: /usr/sbin/dnssec-keygen-pkcs11
    bind9utils: /usr/share/man/man8/dnssec-keygen.8.gz
    
    root@ns3319588:~/test# apt-file search dnssec-keygen
    bind9-doc: /usr/share/doc/bind9-doc/arm/man.dnssec-keygen.html
    bind9utils: /usr/sbin/dnssec-keygen
    bind9utils: /usr/sbin/dnssec-keygen-pkcs11
    bind9utils: /usr/share/man/man8/dnssec-keygen.8.gz
    

    What about installing the native FreeBSD package bind9utils ?

    pkg install bind-tools-9.14.12
    

    ( current with pfSense 2.4.5 - FreeBSD 11.3 )


  • Global Moderator

    correct command is tsig-keygen:

    # tsig-keygen -a HMAC-MD5 myhost.dyn.example.com.
    key "myhost.dyn.example.com." {
    	algorithm hmac-md5;
    	secret "2IGG/tbbiMXUwdoHNUxigQ==";
    };
    


  • @Gertjan said in dnssec-keygen unknown algorithm HMAC-MD5:

    You are running bind on pfSense ?

    yes

    BIND 9.14.12 (Stable Release) <id:f3dc26e>
    

    What about installing the native FreeBSD package bind9utils ?

    pkg install bind-tools-9.14.12
    

    ( current with pfSense 2.4.5 - FreeBSD 11.3 )

    tnx for the suggestion for a other machine with BIND just for this.

    @viktor_g said in dnssec-keygen unknown algorithm HMAC-MD5:

    correct command is tsig-keygen:

    # tsig-keygen -a HMAC-MD5 myhost.dyn.example.com.
    key "myhost.dyn.example.com." {
    	algorithm hmac-md5;
    	secret "2IGG/tbbiMXUwdoHNUxigQ==";
    };
    

    tnx. tsig-keygen works!

    // the netgate docs should be updated with this.



  • @rayures said in dnssec-keygen unknown algorithm HMAC-MD5:

    // the netgate docs should be updated with this.

    The doc is based on the philosophy that pfSense is a firewall router, using RFC 2136 to make it's WAN IP known by using updating a (master) domain name server.
    These domain name servers, references by there NS records, normally have very static IP's - not the iones that RFC 2136 imply.
    Also, file, web and media servers (services) do not belong on a firewall.

    True, one can install 'bind' and use it as a local (master ?) name server. But : should it ?
    The doc, as stated above, shows the real-live scenario, how RFC 2136 is (more) normally implemented.

    Btw : the acme package use an API that uses bind's "nsupdate", a somewhat identical remote record updating mechanism.



  • @Gertjan

    No matter the philosophy de docs are based on, it contains old(?) and inaccurate information. It should be updated.

    // i got it al working now via GUI. kinda easy if you now how.

    for future reference:

    1. generate key via pfsense command prompt [diagnostics / command prompt / exceture shell command]
      command:
    tsig-keygen -a HMAC-SHA512 example.com
    

    output:

    key "example.com" {
    	algorithm hmac-sha512;
    	secret "VERYLONGSECRETKEY==";
    };
    
    1. paste output in BIND global settings [services - bind dns server - settings - show advanced options - advanced features - global settings]

    2. edit your BIND Zone [ services - bind dns server - Zones]

    • enable 'update policy': grant example.com self example.com ANY; //beware: this could break ACME updates
    • save
    1. add RFC2136 client [services - dynamic dns - RFC2136 clients]
    • enable
    • interface: WAN
    • Hostname: example.com
    • Key name: example.com
    • Key Algo: HMAC-SHA512
    • key: VERYLONGSECRETKEY==
    • Server: 127.0.0.1 //server where BIND is running;
    • Use Public IP: enable // if necessary
    • Description: what you want
    • Save
    1. Look at the logs [Status - Sytem Logs - System - DNS Resolver]
      see something like:
    update: info: client @0x802e58e00 192.168.0.2#63676/key example.com: view default: updating zone 'example.com/IN': adding an RR at 'example.com' A 123.123.123.123
    

    celebrate :-)

    1. for test purposes use DNS lookup [Diagnostics - DNS Lookup]
    • hostname: example.com
      see resulting IP adress from A record.

    //small update because i had issues with ACME updates after this.

    generated an extra key for acme updates and added it to BIND global settings (see 2.)

    tsig-keygen -a HMAC-SHA512 acme-update
    

    add the keyname and secret to your ACME certificate options under 'method - DNS-NSupdate/RFC2136'

    add to BIND zone update-policy:

    grant "example.com" selfsub example.com A; grant "acme-update" name _acme-challenge.example.com TXT;
    

    the ddns key can only update the A record, and ACME can only update the TXT record.



  • @rayures said in dnssec-keygen unknown algorithm HMAC-MD5:

    tsig-keygen -a HMAC-SHA512 example.com

    Which version of pfSense/FreeBSD you have?

    tsig-keygen -a HMAC-SHA512 host.example.com
    

    gives me

    tsig-keygen: Command not found.
    

    and

    dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST host.example.com
    

    gives

    dnssec-keygen: fatal: unknown algorithm HMAC-SHA512
    

    Am I missing somethning?



  • @lelik67 said in dnssec-keygen unknown algorithm HMAC-MD5:

    Am I missing somethning?

    It was available, tsig-keygen
    Not any more in 2.4.5-p1 .... ?

    I can just subscribe to your @metoo


  • Global Moderator

    @lelik67 said in dnssec-keygen unknown algorithm HMAC-MD5:

    tsig-keygen -a HMAC-SHA512 host.example.com

    pfSense 2.4.5-p1, bind pkg 9.14_4:

    [2.4.5-RELEASE][root@pf245p1.lab.int]/root: tsig-keygen -a HMAC-SHA512 host.example.com
    key "host.example.com" {
    	algorithm hmac-sha512;
    	secret "7ZhDCogKtFOXdcQeanXCApoKeeqM3Wf7h7oZGTy1Vk+F6ecQjOleMoEE8ikzNdpIAElEbWqnedyuxddmXUxtRw==";
    };
    


  • @viktor_g said in dnssec-keygen unknown algorithm HMAC-MD5:

    tsig-keygen -a HMAC-SHA512 host.example.com

    Interesting :

    [2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: tsig-keygen -a HMAC-SHA512 host.example.com
    tsig-keygen: Command not found.
    

    I should login as root ?


  • Global Moderator

    @Gertjan try /usr/local/sbin/tsig-keygen



  • I already looked over there.
    No tsig-keygen
    Neither elsewhere.

    A

    grep -R 'tsig-keygen' *
    

    goes 'unknown'.

    Is it part of a 'dns-tools' FreeBSD package ?


  • Global Moderator

    @Gertjan it's part of the pfSense-pkg-bind package



  • Ok, .....

    [2.4.5-RELEASE][root@priv.brit-hotel-fumel.net]/root: pkg install pfSense-pkg-bind
    Updating pfSense-core repository catalogue...
    pfSense-core repository is up to date.
    Updating pfSense repository catalogue...
    pfSense repository is up to date.
    All repositories are up to date.
    The following 3 package(s) will be affected (of 0 checked):
    
    New packages to be INSTALLED:
            bind914: 9.14.12 [pfSense]
            lmdb: 0.9.24_1,1 [pfSense]
            pfSense-pkg-bind: 9.14_4 [pfSense]
    
    Number of packages to be installed: 3
    
    The process will require 17 MiB more space.
    3 MiB to be downloaded.
    
    Proceed with this action? [y/N]: N
    

    This also installs bind ?


  • Global Moderator

    @Gertjan Right


  • Global Moderator

    # pkg info -l bind914 | grep tsig-keygen
    	/usr/local/man/man8/tsig-keygen.8.gz
    	/usr/local/sbin/tsig-keygen
    


  • Ok, thanks.

    As I said at the beginning of this thread : I'm using a remote bind server to do the rfc2136 - so I do have the tools ( dnssec-keygen on the bind server == not pfSense) that does the work for me.

    @rayures has a point, that, I can't deny.


Log in to reply