dnssec-keygen doesn't support HMAC-SHA256

D

darkemon

Hello!
I use:
isc-dhcp44-server-4.4.1_4
bind911-9.11.11
bind-tools-9.14.6

At the moment I can't configure auto updating of zones from dhcpd because I can't generate secret key with appropriate algorithm via dnssec-keygen.
The DHCP server currently supports the following algorithms:
HMAC-MD5
HMAC-SHA1
HMAC-SHA224
HMAC-SHA256
HMAC-SHA384
HMAC-SHA512

But dnssec-keygen doesn't support them.
What can I do to solve this problem?
 
Use rndc-confgen(8) to generate the RNDC key. Write it to a file and you can include it in named.conf and dhcpd.conf (assuming they both run on the same machine).

Code: 
dice@maelcum:~ % cat /usr/local/etc/namedb/ddns-key
key "ddns-key" {
        algorithm hmac-sha256;
        secret "<mysupersecretkey>";
};
In named.conf:
Code: 
include "/usr/local/etc/namedb/ddns-key";
...
        zone "example.com" {
                type master;
                notify no;
                check-names ignore;
                file "/usr/local/etc/namedb/dynamic/example.com";
                allow-update { ::1; 127.0.0.1; key ddns-key; };
        };
And dhcpd.conf:
Code: 
include "/usr/local/etc/namedb/ddns-key";
...
zone example.com. {
        primary 127.0.0.1;
        key ddns-key;
}
 
SirDice said:
Use rndc-confgen(8) to generate the RNDC key. Write it to a file and you can include it in named.conf and dhcpd.conf (assuming they both run on the same machine).

Code: 
dice@maelcum:~ % cat /usr/local/etc/namedb/ddns-key
key "ddns-key" {
        algorithm hmac-sha256;
        secret "<mysupersecretkey>";
};
In named.conf:
Code: 
include "/usr/local/etc/namedb/ddns-key";
...
        zone "example.com" {
                type master;
                notify no;
                check-names ignore;
                file "/usr/local/etc/namedb/dynamic/example.com";
                allow-update { ::1; 127.0.0.1; key ddns-key; };
        };
And dhcpd.conf:
Code: 
include "/usr/local/etc/namedb/ddns-key";
...
zone example.com. {
        primary 127.0.0.1;
        key ddns-key;
}
Click to expand...
It helped, thank you!
 
You must log in or register to reply here.
Back
Top