Bug #132170 for Net-DNS: Problems with TSIG on ddns update

Tue Mar 17 16:27:24 2020 kas [...] fi.muni.cz - Ticket created

Subject:

Problems with TSIG on ddns update

I am trying to do a dynamic DNS update with hmac-sha256 key generated by ddns-confgen, according to the example in the Net::DNS::Update documentation, section "Another way to sign a DNS update": #!/usr/bin/perl use Net::DNS; my $key_name = 'tsig-key'; my $key = 'awwLOtRfpGE+rRKF2+DEiw=='; my $tsig = new Net::DNS::RR("$key_name TSIG $key"); This fails with no zone file representation defined for TSIG at /usr/share/perl5/vendor_perl/Net/DNS/RR.pm line 511. in new Net::DNS::RR( tsig-key TSIG awwLOtRfpGE+rRKF2+DEiw== ) at ./test.pl line 7. Can I still use a in-line hmac-sha256 key to sign a DDNS update? Thanks! BTW, Fedora 31 with perl-Net-DNS-1.20-4.fc31.noarch

Tue Mar 17 20:15:33 2020 rwfranks [...] acm.org - Correspondence added

On Tue Mar 17 16:27:24 2020, YENYA wrote: Show quoted text

> I am trying to do a dynamic DNS update with hmac-sha256 key generated > by ddns-confgen, according to the example in the Net::DNS::Update > documentation, section "Another way to sign a DNS update":

This section has long been overtaken by the requirements to use algorithms other than HMAC_MD5 and also to sign multi-packet transactions both of which greatly complicates the mechanics. Documentation update needed. The two argument form that you are attempting to use was only ever capable of creating a TSIG RR using the (default) MD5 digest. The simplest method uses a key generated by BIND dnssec-keygen: $update->sign_tsig( $keyfile ); Show quoted text

> Can I still use a in-line hmac-sha256 key to sign a DDNS update?

Insert a BIND public key in your script and use that to sign the update: $keyrr = new Net::DNS::RR( 'HMAC-SHA256.example. IN KEY 512 3 163 mvojlAdUskQEtC7J8OTXU5LNvt0=' ); $update->sign_tsig( $keyrr );

Tue Mar 17 20:15:34 2020 The RT System itself - Status changed from 'new' to 'open'

Wed Mar 18 14:32:35 2020 rwfranks [...] acm.org - Fixed in 1.23 added

Thu Mar 19 10:25:13 2020 kas [...] fi.muni.cz - Correspondence added

On Wed Mar 18 01:15:33 2020, rwfranks@acm.org wrote: Show quoted text

> This section has long been overtaken by the requirements to use > algorithms other than HMAC_MD5 and also to sign multi-packet > transactions both of which greatly complicates the mechanics. > Documentation update needed.

OK, thanks for explanation. Using the Ksomething.+163+54321.key keyfile works for me. However, it seems that dnssec-keygen(1) no longer generates hmac-sha256 keys for TSIG, and a separate tsig-keygen(1) command is provided (BIND 9.14). Tsig-keygen(1) generates the key in the named.conf format instead of a file with IN KEY resource record. It would be nice to be able to use also this key format directly in $update->sign_tsig($keyfile).

Fri Mar 20 15:36:52 2020 rwfranks [...] acm.org - Correspondence added

Show quoted text

>8 ... Tsig-keygen(1) generates the key in the > named.conf format instead of a file with IN KEY resource record. It > would be nice to be able to use also this key format directly in > $update->sign_tsig($keyfile).

Indeed it would. This is now on my to do list.

Fri May 15 14:32:57 2020 rwfranks [...] acm.org - Correspondence added

On Fri Mar 20 15:36:52 2020, rwfranks@acm.org wrote: Show quoted text

> >8 ... Tsig-keygen(1) generates the key in the > > named.conf format instead of a file with IN KEY resource record. It > > would be nice to be able to use also this key format directly in > > $update->sign_tsig($keyfile).

> > Indeed it would. This is now on my to do list.

Key generated by tsig-keygen is now the preferred way of doing TSIG. Revised code and documentation added in Net::DNS 1.23_01

Fri May 15 14:32:58 2020 rwfranks [...] acm.org - Fixed in 1.23_01 added

Sun May 24 15:28:17 2020 NLNETLABS [...] cpan.org - Correspondence added

Fixed in upcoming 1.24 release

Sun May 24 15:28:19 2020 NLNETLABS [...] cpan.org - Status changed from 'open' to 'resolved'