[arch-general] dhcpd fails to start when using TSIG key created with hmac-sha256 encryption

David C. Rankin drankinatty at suddenlinkmail.com
Sat Dec 18 17:44:33 EST 2010 

Guys,

	I have run into a problem with the dhcpd daemon refusing to start when using
the default hmac-sha256 algorithm for key encryption. A good description of the
problem is here:

http://www.pubbs.net/201009/dhcp/8256-cant-start-isc-dhcpd-420.html

	The bind documentation shows host key creation using:

dnssec-keygen -a hmac-sha256 -b 128 -n HOST yoursite.com

	This results in the following host key:

Kyoursite.com.+163+02215.key

	it contains

yoursite. IN KEY 512 3 163 BV_the_key________DG/g==

	from which you create the key for use with bind and dhcp in the form

key yoursite.com {
    algorithm hmac-sha256;
    secret "BV_the_key________DG/g==";
};

	bind will start and run using the key, but dhcpd fails to start giving the
following error:

[15:54 phoenix:/etc] # dhcpd -f
Internet Systems Consortium DHCP Server 4.2.0-P1
Copyright 2004-2010 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
../../../lib/dns/dst_api.c:1023: REQUIRE(keyp != ((void *)0) && (((*keyp) !=
((void *)0)) && (((const isc__magic_t *)(*keyp))->magic == ((('D') << 24 | ('S')
<< 16 | ('T') << 8 | ('K')))))) failed, back trace
#0 0x81756de in ??
#1 0x8175837 in ??
#2 0x8151058 in ??
#3 0x80c331a in ??
#4 0x80a7150 in ??
#5 0x80aa6cf in ??
#6 0x805c59c in ??
#7 0x8061bda in ??
#8 0x8061e6b in ??
#9 0x80620fc in ??
#10 0x804beab in ??
#11 0xb75fbc76 in ??
#12 0x804a0d1 in ??
Aborted

	Simply regenerating the key with hmac-md5 to create a ..+157..key works (dnssec
complains about hmac-md5 now for some reason):

dnssec-keygen -a hmac-md5 -b 128 -n HOST yoursite.com

and then using that key in dhcpd.conf works fine.

	Does anybody have any additional background on this problem? I'm always
hesitant to use an older key version when apparently ISC want you to use sha256.
But obviously I need to get dhpcd going and providing updates to bind. Are there
better alternatives to hmac-md5?

-- 
David C. Rankin, J.D.,P.E.
Rankin Law Firm, PLLC
510 Ochiltree Street
Nacogdoches, Texas 75961
Telephone: (936) 715-9333
Facsimile: (936) 715-9339
www.rankinlawfirm.com

More information about the arch-general mailing list