[arch-general] dhcpd fails to start when using TSIG key created with hmac-sha256 encryption
Guys, I have run into a problem with the dhcpd daemon refusing to start when using the default hmac-sha256 algorithm for key encryption. A good description of the problem is here: http://www.pubbs.net/201009/dhcp/8256-cant-start-isc-dhcpd-420.html The bind documentation shows host key creation using: dnssec-keygen -a hmac-sha256 -b 128 -n HOST yoursite.com This results in the following host key: Kyoursite.com.+163+02215.key it contains yoursite. IN KEY 512 3 163 BV_the_key________DG/g== from which you create the key for use with bind and dhcp in the form key yoursite.com { algorithm hmac-sha256; secret "BV_the_key________DG/g=="; }; bind will start and run using the key, but dhcpd fails to start giving the following error: [15:54 phoenix:/etc] # dhcpd -f Internet Systems Consortium DHCP Server 4.2.0-P1 Copyright 2004-2010 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ ../../../lib/dns/dst_api.c:1023: REQUIRE(keyp != ((void *)0) && (((*keyp) != ((void *)0)) && (((const isc__magic_t *)(*keyp))->magic == ((('D') << 24 | ('S') << 16 | ('T') << 8 | ('K')))))) failed, back trace #0 0x81756de in ?? #1 0x8175837 in ?? #2 0x8151058 in ?? #3 0x80c331a in ?? #4 0x80a7150 in ?? #5 0x80aa6cf in ?? #6 0x805c59c in ?? #7 0x8061bda in ?? #8 0x8061e6b in ?? #9 0x80620fc in ?? #10 0x804beab in ?? #11 0xb75fbc76 in ?? #12 0x804a0d1 in ?? Aborted Simply regenerating the key with hmac-md5 to create a ..+157..key works (dnssec complains about hmac-md5 now for some reason): dnssec-keygen -a hmac-md5 -b 128 -n HOST yoursite.com and then using that key in dhcpd.conf works fine. Does anybody have any additional background on this problem? I'm always hesitant to use an older key version when apparently ISC want you to use sha256. But obviously I need to get dhpcd going and providing updates to bind. Are there better alternatives to hmac-md5? -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com
On 12/18/2010 04:44 PM, David C. Rankin wrote:
Guys,
I have run into a problem with the dhcpd daemon refusing to start when using the default hmac-sha256 algorithm for key encryption. A good description of the problem is here:
http://www.pubbs.net/201009/dhcp/8256-cant-start-isc-dhcpd-420.html
Also, for some strange reason, I have had to remove DHCP_ARGS from /etc/conf.d/dhcp to get dhcp to start: # DHCP_ARGS="-q" DHCP_ARGS= After removing "-q", dhcpd starts fine. Anybody else see this behavior? This is on a brand new install. I have another server running dhcpd and "-q" causes no problems there. Any ideas on what could make the difference? -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com
participants (1)
-
David C. Rankin