NetBSD Problem Report #49138
From tron@zhadum.org.uk Thu Aug 21 21:34:09 2014
Return-Path: <tron@zhadum.org.uk>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id EE7EAAE860
for <gnats-bugs@gnats.NetBSD.org>; Thu, 21 Aug 2014 21:34:09 +0000 (UTC)
Message-Id: <20140821213404.64F14A3BA27@mail.zhadum.org.uk>
Date: Thu, 21 Aug 2014 22:34:04 +0100 (BST)
From: tron@zhadum.org.uk
Reply-To: tron@zhadum.org.uk
To: gnats-bugs@NetBSD.org
Subject: "nsupdate" can no longer use "hmac-sha512" keys
X-Send-Pr-Version: 3.95
>Number: 49138
>Category: bin
>Synopsis: "nsupdate" can no longer use "hmac-sha512" keys
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Aug 21 21:35:00 +0000 2014
>Last-Modified: Mon Sep 08 19:30:01 +0000 2014
>Originator: Matthias Scheler
>Release: NetBSD 7.0_BETA 2014-08-20 sources
>Organization:
Matthias Scheler https://zhadum.org.uk/
>Environment:
System: NetBSD colwyn.zhadum.org.uk 7.0_BETA NetBSD 7.0_BETA (GENERIC) #0: Wed Aug 20 13:44:09 BST 2014 tron@lyssa.zhadum.org.uk:/export/scratch/tron/obj/sys/arch/amd64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:
Since upgrading from NetBSD 6.1_STABLE to 7.0_BETA dhcpd(8) can no longer
use my "hmac-sha512" DNS key to sign updates for DNS zones. It logs the
following error during status:
Aug 21 18:50:33 colwyn dhcpd: Unable to create tsec structure for zhadum.intern
I've also got problems with "nsupdate" which also can no longer use a
(differnent "hmac-sha512" key:
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADSIG)
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADSIG)
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADSIG)
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADSIG)
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADSIG)
Both programs worked fine under NetBSD 6.1_STABLE. "/usr/pkg/bin/nsupdate"
which does *not* use NetBSD 7.0_BETA's "libdns" also works fine.
I don't think it matters but the names server is BIND 9.10 from *pkgsrc*.
>How-To-Repeat:
Configure dhcpd(8) to use a "hmac-sha512" DNS key.
>Fix:
Not known.
>Release-Note:
>Audit-Trail:
From: "Jeremy C. Reed" <reed@reedmedia.net>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: lib/49138: "libdns" cannot use "hmac-sha512" keys
Date: Thu, 21 Aug 2014 17:47:26 -0500 (CDT)
> Both programs worked fine under NetBSD 6.1_STABLE. "/usr/pkg/bin/nsupdate"
> which does *not* use NetBSD 7.0_BETA's "libdns" also works fine.
I think that old DHCP was Version 3.0.3 (July 22, 2005).
I opened an internal ISC bug 36947 for this. I will let you know what I
learn.
I also saw similar reports elsewhere:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/797356
https://bugzilla.redhat.com/show_bug.cgi?id=1066603
Responsible-Changed-From-To: lib-bug-people->bin-bug-people
Responsible-Changed-By: tron@NetBSD.org
Responsible-Changed-When: Thu, 21 Aug 2014 23:36:39 +0000
Responsible-Changed-Why:
This seems to be a bug in "nsupdate", not in "libdns".
From: Matthias Scheler <tron@zhadum.org.uk>
To: "Jeremy C. Reed" <reed@reedmedia.net>
Cc: NetBSD GNATS <gnats-bugs@NetBSD.org>
Subject: Re: lib/49138: "libdns" cannot use "hmac-sha512" keys
Date: Fri, 22 Aug 2014 00:34:26 +0100
On Thu, Aug 21, 2014 at 10:50:01PM +0000, Jeremy C. Reed wrote:
> The following reply was made to PR lib/49138; it has been noted by GNATS.
>
> From: "Jeremy C. Reed" <reed@reedmedia.net>
> To: gnats-bugs@NetBSD.org
> Cc:
> Subject: Re: lib/49138: "libdns" cannot use "hmac-sha512" keys
> Date: Thu, 21 Aug 2014 17:47:26 -0500 (CDT)
>
> > Both programs worked fine under NetBSD 6.1_STABLE. "/usr/pkg/bin/nsupdate"
> > which does *not* use NetBSD 7.0_BETA's "libdns" also works fine.
>
> I think that old DHCP was Version 3.0.3 (July 22, 2005).
Which didn't work as well. It only produced a different error message
that I previously missed.
> I opened an internal ISC bug 36947 for this. I will let you know what I
> learn.
>
> I also saw similar reports elsewhere:
>
> https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/797356
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1066603
It seems that nothing other than "HMAC-MD5.SIG-ALG.REG.INT" works
at the moment.
Kind regards
--
Matthias Scheler https://zhadum.org.uk/
From: Matthias Scheler <tron@zhadum.org.uk>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: lib/49138: "libdns" cannot use "hmac-sha512" keys
Date: Fri, 22 Aug 2014 00:32:47 +0100
On Thu, Aug 21, 2014 at 09:35:00PM +0000, gnats-admin@netbsd.org wrote:
> Thank you very much for your problem report.
> It has the internal identification `lib/49138'.
> The individual assigned to look at your
> report is: lib-bug-people.
>
> >Category: lib
> >Responsible: lib-bug-people
> >Synopsis: "libdns" cannot use "hmac-sha512" keys
> >Arrival-Date: Thu Aug 21 21:35:00 +0000 2014
It turns out that dhcpd(8) didn't work with "hmac-sha256" keys in
NetBSD 6.1_STABLE as well:
Aug 21 14:08:23 colwyn dhcpd: Unable to add forward map from MacBook.zhadum.intern to 192.168.25.186: bad DNS key
As far as I can tell it only supports "HMAC-MD5.SIG-ALG.REG.INT" keys
which is of course not very satisfactory. However Google suggests that
this problem also affects various Linux distributions (e.g. Arch Linux
or Ubuntu). So it seems to be a problem with ISCP DHCP Daemon itself.
However the "nsupdate" behaviour is still a regression. It definitely
worked with the "hmac-256" key under NetBSD 6.1_STABLE.
Kind regards
--
Matthias Scheler https://zhadum.org.uk/
From: "Jeremy C. Reed" <reed@reedmedia.net>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: lib/49138: "libdns" cannot use "hmac-sha512" keys
Date: Mon, 8 Sep 2014 12:11:17 -0500 (CDT)
From ISC:
x
diff --git a/RELNOTES b/RELNOTES
index 3593975..991c2c1 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -54,6 +54,11 @@ by Eric Young (eay@cryptsoft.com).
Changes since 4.3.1
+- TSIG-authenticated dynamic DNS updates now support the use of these
+ additional algorithms: hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384,
+ and hmac-sha512
+ [ISC-Bugs #36947]
+
- Corrected rate limiting checks for bad packet logging.
[ISC-Bugs #36897]
diff --git a/includes/omapip/isclib.h b/includes/omapip/isclib.h
index 831047a..caa388a 100644
--- a/includes/omapip/isclib.h
+++ b/includes/omapip/isclib.h
@@ -3,7 +3,7 @@
connections to the isc and dns libraries */
/*
- * Copyright (c) 2009,2013 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 2009,2013,2014 by Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -106,6 +106,11 @@ extern dhcp_context_t dhcp_gbl_ctx;
#define DHCP_MAXDNS_WIRE 256
#define DHCP_MAXNS 3
#define DHCP_HMAC_MD5_NAME "HMAC-MD5.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA1_NAME "HMAC-SHA1.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA224_NAME "HMAC-SHA224.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA256_NAME "HMAC-SHA256.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA384_NAME "HMAC-SHA384.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA512_NAME "HMAC-SHA512.SIG-ALG.REG.INT."
isc_result_t dhcp_isc_name(unsigned char *namestr,
dns_fixedname_t *namefix,
diff --git a/omapip/isclib.c b/omapip/isclib.c
index 69edc2e..3e5e1c2 100644
--- a/omapip/isclib.c
+++ b/omapip/isclib.c
@@ -289,12 +289,24 @@ isclib_make_dst_key(char *inname,
dns_name_t *name;
dns_fixedname_t name0;
isc_buffer_t b;
+ unsigned int algorithm_code;
isc_buffer_init(&b, secret, length);
isc_buffer_add(&b, length);
- /* We only support HMAC_MD5 currently */
- if (strcasecmp(algorithm, DHCP_HMAC_MD5_NAME) != 0) {
+ if (strcasecmp(algorithm, DHCP_HMAC_MD5_NAME) == 0) {
+ algorithm_code = DST_ALG_HMACMD5;
+ } else if (strcasecmp(algorithm, DHCP_HMAC_SHA1_NAME) == 0) {
+ algorithm_code = DST_ALG_HMACSHA1;
+ } else if (strcasecmp(algorithm, DHCP_HMAC_SHA224_NAME) == 0) {
+ algorithm_code = DST_ALG_HMACSHA224;
+ } else if (strcasecmp(algorithm, DHCP_HMAC_SHA256_NAME) == 0) {
+ algorithm_code = DST_ALG_HMACSHA256;
+ } else if (strcasecmp(algorithm, DHCP_HMAC_SHA384_NAME) == 0) {
+ algorithm_code = DST_ALG_HMACSHA384;
+ } else if (strcasecmp(algorithm, DHCP_HMAC_SHA512_NAME) == 0) {
+ algorithm_code = DST_ALG_HMACSHA512;
+ } else {
return(DHCP_R_INVALIDARG);
}
@@ -303,7 +315,7 @@ isclib_make_dst_key(char *inname,
return(result);
}
- return(dst_key_frombuffer(name, DST_ALG_HMACMD5, DNS_KEYOWNER_ENTITY,
+ return(dst_key_frombuffer(name, algorithm_code, DNS_KEYOWNER_ENTITY,
DNS_KEYPROTO_DNSSEC, dns_rdataclass_in,
&b, dhcp_gbl_ctx.mctx, dstkey));
}
diff --git a/server/dhcpd.conf.5 b/server/dhcpd.conf.5
index 2c63f9c..3a7739e 100644
--- a/server/dhcpd.conf.5
+++ b/server/dhcpd.conf.5
@@ -1,6 +1,6 @@
.\" dhcpd.conf.5
.\"
-.\" Copyright (c) 2004-2013 by Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (c) 2004-2014 by Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (c) 1996-2003 by Internet Software Consortium
.\"
.\" Permission to use, copy, modify, and distribute this software for any
@@ -1305,6 +1305,18 @@ dnssec-keygen, the above key would be created as follows:
dnssec-keygen -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER
.fi
.PP
+The key name, algorithm, and secret must match that being used by the DNS
+server. The DHCP server currently supports the following algorithms:
+.nf
+
+ HMAC-MD5
+ HMAC-SHA1
+ HMAC-SHA224
+ HMAC-SHA256
+ HMAC-SHA384
+ HMAC-SHA512
+.fi
+.PP
You may wish to enable logging of DNS updates on your DNS server.
To do so, you might write a logging statement like the following:
.PP
From: Matthias Scheler <tron@zhadum.org.uk>
To: "Jeremy C. Reed" <reed@reedmedia.net>
Cc: gnats-bugs@NetBSD.org
Subject: Re: lib/49138: "libdns" cannot use "hmac-sha512" keys
Date: Mon, 8 Sep 2014 18:35:23 +0100
On Mon, Sep 08, 2014 at 05:15:01PM +0000, Jeremy C. Reed wrote:
> From ISC:
> x
> diff --git a/RELNOTES b/RELNOTES
> index 3593975..991c2c1 100644
> --- a/RELNOTES
> +++ b/RELNOTES
> @@ -54,6 +54,11 @@ by Eric Young (eay@cryptsoft.com).
>
> Changes since 4.3.1
>
> +- TSIG-authenticated dynamic DNS updates now support the use of these
> + additional algorithms: hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384,
> + and hmac-sha512
> + [ISC-Bugs #36947]
> +
> - Corrected rate limiting checks for bad packet logging.
> [ISC-Bugs #36897]
>
This is excellent news.
> index 831047a..caa388a 100644
> --- a/includes/omapip/isclib.h
> +++ b/includes/omapip/isclib.h
> @@ -3,7 +3,7 @@
> connections to the isc and dns libraries */
>
> /*
> - * Copyright (c) 2009,2013 by Internet Systems Consortium, Inc. ("ISC")
> + * Copyright (c) 2009,2013,2014 by Internet Systems Consortium, Inc. ("ISC")
> *
> * Permission to use, copy, modify, and distribute this software for any
> * purpose with or without fee is hereby granted, provided that the above
> @@ -106,6 +106,11 @@ extern dhcp_context_t dhcp_gbl_ctx;
> #define DHCP_MAXDNS_WIRE 256
> #define DHCP_MAXNS 3
> #define DHCP_HMAC_MD5_NAME "HMAC-MD5.SIG-ALG.REG.INT."
> +#define DHCP_HMAC_SHA1_NAME "HMAC-SHA1.SIG-ALG.REG.INT."
> +#define DHCP_HMAC_SHA224_NAME "HMAC-SHA224.SIG-ALG.REG.INT."
> +#define DHCP_HMAC_SHA256_NAME "HMAC-SHA256.SIG-ALG.REG.INT."
> +#define DHCP_HMAC_SHA384_NAME "HMAC-SHA384.SIG-ALG.REG.INT."
> +#define DHCP_HMAC_SHA512_NAME "HMAC-SHA512.SIG-ALG.REG.INT."
However this looks problematic. BIND calls e.g. "HMAC-SHA512.SIG-ALG.REG.INT"
simply "hmac-sha512". It will therefore not be possible share key files
between BIND and DHCPD if such keys are used.
Kind regards
--
Matthias Scheler https://zhadum.org.uk/
From: "Jeremy C. Reed" <reed@reedmedia.net>
To: Matthias Scheler <tron@zhadum.org.uk>
Cc: gnats-bugs@NetBSD.org
Subject: Re: lib/49138: "libdns" cannot use "hmac-sha512" keys
Date: Mon, 8 Sep 2014 14:25:58 -0500 (CDT)
On Mon, 8 Sep 2014, Matthias Scheler wrote:
> However this looks problematic. BIND calls e.g.
> "HMAC-SHA512.SIG-ALG.REG.INT" simply "hmac-sha512". It will therefore
> not be possible share key files between BIND and DHCPD if such keys
> are used.
I was told that while BIND9 does not like the full name, ISC DHCP will
allow you to abbreviate the algorithm name and will treat all three
forms of the algorithm name equivalently: HMAC-SHA512, hmac-sha512, and
HMAC-SHA512.SIG-ALG.REG.INT. (Both are case insensitive too.)
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home