plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon opnsense

dns/rfc2136 make key algorithm configurable (opnsense#1664)

Open av-commits opened this issue 5 years ago • 6 comments

Update to rfc2135 feature to support different key algorithm and configure them per dns update. The code supports all currenlty in bind9 available algorithm. The Key Type (Host, Zone & Domain) has been removed, this releates more to dnssec keys then to dns update key (bind 9.13 dnssec-keygen not logger support hmac key for TISG).

Tests (I did in my env):

  • all algorithm for IPv4
  • hmac-sha512 for IPv6
  • Existing hmac-md5 configuration without config change (backward compatibility)

av-commits avatar Jan 25 '21 09:01 av-commits

Is there any new info about that topic? I would be really appreciated if you could use more than only the unsecure MD5 hash algorithm.

Ketanest avatar Jul 06 '22 10:07 Ketanest

my basic concern is https://github.com/opnsense/plugins/pull/2203/files#diff-f3b8bc015779b775a869924d3b72d1468707ae9d508057f4ba3f6a3c7f8428feR93 which breaks setups. I want to work on it, but if someone else wants to beat me on this that would be great.

fichtner avatar Jul 06 '22 10:07 fichtner

Could you help what breaks setup means? Is the problem to introduce a new field "keyalgo"? Is it to not realy cleanup to "keytype"?

av-commits avatar Jul 06 '22 11:07 av-commits

@av-commits yes

fichtner avatar Jul 06 '22 12:07 fichtner

@fichtner ok, would you prefere to overload the field keytype with the key algorithm (just store algorithm in keytype)?

av-commits avatar Jul 06 '22 12:07 av-commits

I tested this and it worked for me. Only one small addition: The help text for the keydata field may need to be adjusted, because it still references "HMAC-MD5" as the only key format.

AlexanderS avatar Aug 16 '22 17:08 AlexanderS