View Issue Details

IDProjectCategoryView StatusLast Update
0012107CentOS-7dhcppublic2016-10-20 06:23
Reporterdafydd 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Platformx86_64OSCentOSOS Version7
Product Version7.2.1511 
Target VersionFixed in Version 
Summary0012107: dhcpd "No tsec for use with key <name>"
DescriptionIf `dnssec-keygen` is used to generate an HMAC-SHA512 key, and that key is propagated to dhcpd.conf and named.conf, the dhcpd log will get

No tsec for use with key <name>
Unable to add forward map from <DHCP address requestor> to <assigned IP address>: REFUSED

and the named system log will get

update-security: error: client <IP address>#<port>: update '<domain>/IN' denied

However, generating and using an HMAC-MD5 key will work without error.
Steps To ReproduceCommand line:

# dnssec-keygen -a hmac-md5 -b 128 -n USER <name1>
# dnssec-keygen -a hmac-sha512 -b 512 -n USER <name2>

Extract both keys. In dhcpd.conf set your key statement like this:

key <name> {
# algorithm hmac-sha512;
# secret <sha512key>;
  algorithm hmac-md5;
  secret <md5key>;
}

with the same key name used in the appropriate "zone" blocks. In named.conf, create the same key block, but with the keys inside double-quotes. And, add the appropriate `allow-update { key <name>; };` lines in the matching zones.

These steps facilitate switching back and forth between keys. Finally, identify a simple device to stop/start that will request a DHCP address on startup. I used a printer.

Note that dDNS will update without error when using hmac-md5, but will fail under hmac-sha512, all else being equal.
Additional InformationThe obvious and trivial workaround is to continue to use hmac-md5. However, what's the point of building in bigger key sizes if they can't be used?
Tagsbind-chroot, dhcp
abrt_hash
URL

Activities

dafydd

dafydd

2016-10-20 06:23

reporter   ~0027758

Whoops!

dhcp, dhcp-common, and dhcp-libs are all 4.2.5-42.el7.centos.x86_64

bind-libs, bind-libs-lite, bind, bind-license, and bind-chroot are all 9.9.4-29.el7_2.4.x86_64.

Issue History

Date Modified Username Field Change
2016-10-20 05:27 dafydd New Issue
2016-10-20 05:27 dafydd Tag Attached: bind-chroot
2016-10-20 05:36 dafydd Tag Attached: dhcp
2016-10-20 06:23 dafydd Note Added: 0027758