Project

General

Profile

Correction #10593

Feedback on Third Party Software and pfSense — Configure BIND as an RFC 2136 Dynamic DNS Server

Added by Viktor Gurov about 1 month ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
DNS
Target version:
-
Start date:
05/25/2020
Due date:
% Done:

0%

Estimated time:
Affected Documentation:
The pfSense Book

Description

Page: https://docs.netgate.com/pfsense/en/latest/book/thirdparty/configure-bind-for-rfc2136.html

Feedback:

using of dnssec-keygen to generate HMAC keys is not possible in the current pfSense bind version:

dnssec-keygen -K /etc/namedb/keys -a HMAC-MD5 -b 128 -n HOST myhost.dyn.example.com.
dnssec-keygen: fatal: unknown algorithm HMAC-MD5

correct command:

tsig-keygen -a hmac-sha512 myhost.dyn.example.com

see https://gitlab.isc.org/isc-projects/bind9/commit/21761bfe799c8f298e3ce26285426b9a30473e6d?view=parallel:
The use of dnssec-keygen to generate HMAC keys is
deprecated in favor of tsig-keygen. dnssec-keygen
will print a warning when used for this purpose.
All HMAC algorithms will be removed from
dnssec-keygen in a future release. [RT #42272]

History

#1 Updated by Viktor Gurov about 1 month ago

https://ftp.isc.org/isc/bind9/cur/9.16/CHANGES:

4868.    [func]        dnssec-keygen can no longer generate HMAC keys.
            Use tsig-keygen instead. [RT #46404]

https://gitlab.netgate.com/docs/pfSense-book/-/merge_requests/4

#2 Updated by Jared Dillard about 1 month ago

  • Status changed from New to Closed

Thanks! This has been merged.

Also available in: Atom PDF