Feature #6621
closedPermit DHCP Server Dynamic DNS server key algorithm type selection and use
100%
Description
Under the DHCP Server page, you are able to do advanced configuration of Dynamic DNS with an internal nameserver (not on pfSense). This is very good to have if you need to have hostnames that work for every internal dynamic IP assignment.
That said, there is a limitation on the secret key algorithm, of HMAC-MD5
. There is no support for the other algorithms.
From the man pages of dnssec-keygen
, which generates these keys, is the following list of algorithms on Ubuntu 14.04:
-a <algorithm>: RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1 | NSEC3DSA | RSASHA256 | RSASHA512 | ECCGOST | ECDSAP256SHA256 | ECDSAP384SHA384 | DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 | HMAC-SHA384 | HMAC-SHA512 (default: RSASHA1, or NSEC3RSASHA1 if using -3)
I'd like to, at least, see the HMAC-* algorithms selectable and usable. Most BIND named instances will support all the algorithms.
Testing from a pfSense on 2.3.1-p5, it only uses HMAC-MD5
keys; for security-centric crazies like myself, it would be better to be able to permit any HMAC
algorithm to be selected at configuration time in the web panel, so you can use stronger more secure keys.
Files
Updated by Thomas Ward over 8 years ago
Related bug report on the ambiguity of the algorithm currently needed for the DNS secret key: #6622 (https://redmine.pfsense.org/issues/6621)
Updated by Joeri Capens about 7 years ago
I also ran into this problem after following some bind9 guides which use the newer ddns-confgen command. This tool uses the HMAC-SHA256 algorithm by default.
To allow the use of the more secure SHA algorithms in pfSense you can use the attached patch which can be applied to pfSense 2.4.x
Since it adds a new "ddnsdomainkeyalgorithm" variable to the config file I'm not entirely sure if some code would need to be added to handle a pfSense version upgrade. I hope an experienced pfSense developer can review the patch?
Updated by Jim Pingle about 7 years ago
Updated by Joeri Capens almost 7 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 534d7d6996854ed5f2521e7a796fb79aaacd176c.
Updated by Jim Pingle almost 7 years ago
- Category set to DHCP (IPv4)
- Target version set to 2.4.3
Updated by Jim Pingle almost 7 years ago
- Status changed from Feedback to Resolved