Re: [Pdns-users] tsig key not being accepted

[Otto Moerbeek via Pdns-users]

On Sat, Jan 28, 2023 at 09:58:22AM -0500, Larry Wapnitsky via Pdns-users wrote:

> (domain names and keys changed in production from these values)
> 
> I'm running the following:
> 
> root@ns1:~# pdns_server --version
> Jan 28 09:54:21 PowerDNS Authoritative Server
> 4.8.0-alpha0.1002.master.g13427ee56 (C) 2001-2022 PowerDNS.COM BV
> Jan 28 09:54:21 Using 64-bits mode. Built using gcc 9.4.0 on Jan 18 2023
> 12:08:28 by root@4f762a9684f6.
> 
> I was able (until yesterday) to update DNS entries using RFC2136, but am
> now receiving the following error:
> 
> Packet for 'mydomain.com' denied: Signature with TSIG key 'dhcpupdate' does
> not match the expected algorithm (hmac-sha256 / hmac-md5.sig-alg.reg.int)
> 
> My TSIG key is set as follows:
> 
> root@ns1:~# pdnsutil generate-tsig-key dhcpupdate hmac-sha256Create new
> TSIG key dhcpupdate hmac-sha256
> W/ThmvveOYiOKDiMA/tphcm0bu+XsdHxmIPa5anY+U8NO94n8j5I7L7rTfrlTE7NRhTrbeRJ2f7s0oTiwWc9BA==
> 
> and the configuration in my RFC2136 client (opnsense) is:
> 
> [image: 2023-01-28_09-57.png]
> 
> Advice is very welcome on how to diagnose. I've recreated the keys multiple
> times to no avail.
> 
> Thank you.
> 
> *Larry G. Wapnitsky*
> 
> 
> *E: la...@wapnitsky.com*
> *Web: Larry.Wapnitsky.com *

If it worked before yesterday, it would be very good to know what changed:

- the auth server software version? What version were your running before?
- the RFC2136 client? Same question.

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] tsig key not being accepted

[Jan-Piet Mens via Pdns-users]

Packet for 'mydomain.com' denied: Signature with TSIG key 'dhcpupdate' does
not match the expected algorithm (hmac-sha256 / hmac-md5.sig-alg.reg.int)


It appears from very light research (old-fashioned word for 'googling') that
opensense/pfsense used to support HMAC-MD5 only [1], and the above message
indicates so to me.

Try generating an HMAC-MD5 key on for your PowerDNS server and try again with
that?

Alternatively, can you hover over the tooltip in the UI you've shown and
determine whether different algorithms are supported? The screenshot doesn't
suggest they are.

-JP

[1] https://github.com/opnsense/plugins/pull/2203/files
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] tsig key not being accepted

[Larry Wapnitsky via Pdns-users]

(domain names and keys changed in production from these values)

I'm running the following:

root@ns1:~# pdns_server --version
Jan 28 09:54:21 PowerDNS Authoritative Server
4.8.0-alpha0.1002.master.g13427ee56 (C) 2001-2022 PowerDNS.COM BV
Jan 28 09:54:21 Using 64-bits mode. Built using gcc 9.4.0 on Jan 18 2023
12:08:28 by root@4f762a9684f6.

I was able (until yesterday) to update DNS entries using RFC2136, but am
now receiving the following error:

Packet for 'mydomain.com' denied: Signature with TSIG key 'dhcpupdate' does
not match the expected algorithm (hmac-sha256 / hmac-md5.sig-alg.reg.int)

My TSIG key is set as follows:

root@ns1:~# pdnsutil generate-tsig-key dhcpupdate hmac-sha256Create new
TSIG key dhcpupdate hmac-sha256
W/ThmvveOYiOKDiMA/tphcm0bu+XsdHxmIPa5anY+U8NO94n8j5I7L7rTfrlTE7NRhTrbeRJ2f7s0oTiwWc9BA==

and the configuration in my RFC2136 client (opnsense) is:

[image: 2023-01-28_09-57.png]

Advice is very welcome on how to diagnose. I've recreated the keys multiple
times to no avail.

Thank you.

*Larry G. Wapnitsky*


*E: la...@wapnitsky.com*
*Web: Larry.Wapnitsky.com *
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users