Permit DHCP Server Dynamic DNS server key algorithm type selection and use
Under the DHCP Server page, you are able to do advanced configuration of Dynamic DNS with an internal nameserver (not on pfSense). This is very good to have if you need to have hostnames that work for every internal dynamic IP assignment.
That said, there is a limitation on the secret key algorithm, of
HMAC-MD5. There is no support for the other algorithms.
From the man pages of
dnssec-keygen, which generates these keys, is the following list of algorithms on Ubuntu 14.04:
-a <algorithm>: RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1 | NSEC3DSA | RSASHA256 | RSASHA512 | ECCGOST | ECDSAP256SHA256 | ECDSAP384SHA384 | DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 | HMAC-SHA384 | HMAC-SHA512 (default: RSASHA1, or NSEC3RSASHA1 if using -3)
I'd like to, at least, see the HMAC-* algorithms selectable and usable. Most BIND named instances will support all the algorithms.
Testing from a pfSense on 2.3.1-p5, it only uses
HMAC-MD5 keys; for security-centric crazies like myself, it would be better to be able to permit any
HMAC algorithm to be selected at configuration time in the web panel, so you can use stronger more secure keys.