Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    dnssec-keygen unknown algorithm HMAC-MD5

    Scheduled Pinned Locked Moved DHCP and DNS
    17 Posts 4 Posters 14.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rayures @Gertjan
      last edited by rayures

      @Gertjan

      No matter the philosophy de docs are based on, it contains old(?) and inaccurate information. It should be updated.

      // i got it al working now via GUI. kinda easy if you now how.

      for future reference:

      1. generate key via pfsense command prompt [diagnostics / command prompt / exceture shell command]
        command:
      tsig-keygen -a HMAC-SHA512 example.com
      

      output:

      key "example.com" {
      	algorithm hmac-sha512;
      	secret "VERYLONGSECRETKEY==";
      };
      
      1. paste output in BIND global settings [services - bind dns server - settings - show advanced options - advanced features - global settings]

      2. edit your BIND Zone [ services - bind dns server - Zones]

      • enable 'update policy': grant example.com self example.com ANY; //beware: this could break ACME updates
      • save
      1. add RFC2136 client [services - dynamic dns - RFC2136 clients]
      • enable
      • interface: WAN
      • Hostname: example.com
      • Key name: example.com
      • Key Algo: HMAC-SHA512
      • key: VERYLONGSECRETKEY==
      • Server: 127.0.0.1 //server where BIND is running;
      • Use Public IP: enable // if necessary
      • Description: what you want
      • Save
      1. Look at the logs [Status - Sytem Logs - System - DNS Resolver]
        see something like:
      update: info: client @0x802e58e00 192.168.0.2#63676/key example.com: view default: updating zone 'example.com/IN': adding an RR at 'example.com' A 123.123.123.123
      

      celebrate :-)

      1. for test purposes use DNS lookup [Diagnostics - DNS Lookup]
      • hostname: example.com
        see resulting IP adress from A record.

      //small update because i had issues with ACME updates after this.

      generated an extra key for acme updates and added it to BIND global settings (see 2.)

      tsig-keygen -a HMAC-SHA512 acme-update
      

      add the keyname and secret to your ACME certificate options under 'method - DNS-NSupdate/RFC2136'

      add to BIND zone update-policy:

      grant "example.com" selfsub example.com A; grant "acme-update" name _acme-challenge.example.com TXT;
      

      the ddns key can only update the A record, and ACME can only update the TXT record.

      1 Reply Last reply Reply Quote 0
      • L
        lelik67
        last edited by

        @rayures said in dnssec-keygen unknown algorithm HMAC-MD5:

        tsig-keygen -a HMAC-SHA512 example.com

        Which version of pfSense/FreeBSD you have?

        tsig-keygen -a HMAC-SHA512 host.example.com
        

        gives me

        tsig-keygen: Command not found.
        

        and

        dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST host.example.com
        

        gives

        dnssec-keygen: fatal: unknown algorithm HMAC-SHA512
        

        Am I missing somethning?

        GertjanG viktor_gV 2 Replies Last reply Reply Quote 0
        • GertjanG
          Gertjan @lelik67
          last edited by

          @lelik67 said in dnssec-keygen unknown algorithm HMAC-MD5:

          Am I missing somethning?

          It was available, tsig-keygen
          Not any more in 2.4.5-p1 .... ?

          I can just subscribe to your @metoo

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • viktor_gV
            viktor_g Netgate @lelik67
            last edited by

            @lelik67 said in dnssec-keygen unknown algorithm HMAC-MD5:

            tsig-keygen -a HMAC-SHA512 host.example.com

            pfSense 2.4.5-p1, bind pkg 9.14_4:

            [2.4.5-RELEASE][root@pf245p1.lab.int]/root: tsig-keygen -a HMAC-SHA512 host.example.com
            key "host.example.com" {
            	algorithm hmac-sha512;
            	secret "7ZhDCogKtFOXdcQeanXCApoKeeqM3Wf7h7oZGTy1Vk+F6ecQjOleMoEE8ikzNdpIAElEbWqnedyuxddmXUxtRw==";
            };
            
            1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan
              last edited by

              @viktor_g said in dnssec-keygen unknown algorithm HMAC-MD5:

              tsig-keygen -a HMAC-SHA512 host.example.com

              Interesting :

              [2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: tsig-keygen -a HMAC-SHA512 host.example.com
              tsig-keygen: Command not found.
              

              I should login as root ?

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              viktor_gV 1 Reply Last reply Reply Quote 0
              • viktor_gV
                viktor_g Netgate @Gertjan
                last edited by

                @Gertjan try /usr/local/sbin/tsig-keygen

                1 Reply Last reply Reply Quote 0
                • GertjanG
                  Gertjan
                  last edited by

                  I already looked over there.
                  No tsig-keygen
                  Neither elsewhere.

                  A

                  grep -R 'tsig-keygen' *
                  

                  goes 'unknown'.

                  Is it part of a 'dns-tools' FreeBSD package ?

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  viktor_gV 1 Reply Last reply Reply Quote 0
                  • viktor_gV
                    viktor_g Netgate @Gertjan
                    last edited by

                    @Gertjan it's part of the pfSense-pkg-bind package

                    1 Reply Last reply Reply Quote 0
                    • GertjanG
                      Gertjan
                      last edited by

                      Ok, .....

                      [2.4.5-RELEASE][root@priv.brit-hotel-fumel.net]/root: pkg install pfSense-pkg-bind
                      Updating pfSense-core repository catalogue...
                      pfSense-core repository is up to date.
                      Updating pfSense repository catalogue...
                      pfSense repository is up to date.
                      All repositories are up to date.
                      The following 3 package(s) will be affected (of 0 checked):
                      
                      New packages to be INSTALLED:
                              bind914: 9.14.12 [pfSense]
                              lmdb: 0.9.24_1,1 [pfSense]
                              pfSense-pkg-bind: 9.14_4 [pfSense]
                      
                      Number of packages to be installed: 3
                      
                      The process will require 17 MiB more space.
                      3 MiB to be downloaded.
                      
                      Proceed with this action? [y/N]: N
                      

                      This also installs bind ?

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      viktor_gV 1 Reply Last reply Reply Quote 0
                      • viktor_gV
                        viktor_g Netgate @Gertjan
                        last edited by

                        @Gertjan Right

                        1 Reply Last reply Reply Quote 0
                        • viktor_gV
                          viktor_g Netgate
                          last edited by viktor_g

                          # pkg info -l bind914 | grep tsig-keygen
                          	/usr/local/man/man8/tsig-keygen.8.gz
                          	/usr/local/sbin/tsig-keygen
                          
                          1 Reply Last reply Reply Quote 0
                          • GertjanG
                            Gertjan
                            last edited by

                            Ok, thanks.

                            As I said at the beginning of this thread : I'm using a remote bind server to do the rfc2136 - so I do have the tools ( dnssec-keygen on the bind server == not pfSense) that does the work for me.

                            @rayures has a point, that, I can't deny.

                            No "help me" PM's please. Use the forum, the community will thank you.
                            Edit : and where are the logs ??

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.