FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux General Discussion

 
 
LinkBack Thread Tools
 
Old 12-18-2010, 09:44 PM
"David C. Rankin"
 
Default dhcpd fails to start when using TSIG key created with hmac-sha256 encryption

Guys,

I have run into a problem with the dhcpd daemon refusing to start when using
the default hmac-sha256 algorithm for key encryption. A good description of the
problem is here:

http://www.pubbs.net/201009/dhcp/8256-cant-start-isc-dhcpd-420.html

The bind documentation shows host key creation using:

dnssec-keygen -a hmac-sha256 -b 128 -n HOST yoursite.com

This results in the following host key:

Kyoursite.com.+163+02215.key

it contains

yoursite. IN KEY 512 3 163 BV_the_key________DG/g==

from which you create the key for use with bind and dhcp in the form

key yoursite.com {
algorithm hmac-sha256;
secret "BV_the_key________DG/g==";
};

bind will start and run using the key, but dhcpd fails to start giving the
following error:

[15:54 phoenix:/etc] # dhcpd -f
Internet Systems Consortium DHCP Server 4.2.0-P1
Copyright 2004-2010 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
../../../lib/dns/dst_api.c:1023: REQUIRE(keyp != ((void *)0) && (((*keyp) !=
((void *)0)) && (((const isc__magic_t *)(*keyp))->magic == ((('D') << 24 | ('S')
<< 16 | ('T') << 8 | ('K')))))) failed, back trace
#0 0x81756de in ??
#1 0x8175837 in ??
#2 0x8151058 in ??
#3 0x80c331a in ??
#4 0x80a7150 in ??
#5 0x80aa6cf in ??
#6 0x805c59c in ??
#7 0x8061bda in ??
#8 0x8061e6b in ??
#9 0x80620fc in ??
#10 0x804beab in ??
#11 0xb75fbc76 in ??
#12 0x804a0d1 in ??
Aborted

Simply regenerating the key with hmac-md5 to create a ..+157..key works (dnssec
complains about hmac-md5 now for some reason):

dnssec-keygen -a hmac-md5 -b 128 -n HOST yoursite.com

and then using that key in dhcpd.conf works fine.

Does anybody have any additional background on this problem? I'm always
hesitant to use an older key version when apparently ISC want you to use sha256.
But obviously I need to get dhpcd going and providing updates to bind. Are there
better alternatives to hmac-md5?

--
David C. Rankin, J.D.,P.E.
Rankin Law Firm, PLLC
510 Ochiltree Street
Nacogdoches, Texas 75961
Telephone: (936) 715-9333
Facsimile: (936) 715-9339
www.rankinlawfirm.com
 
Old 12-18-2010, 09:50 PM
"David C. Rankin"
 
Default dhcpd fails to start when using TSIG key created with hmac-sha256 encryption

On 12/18/2010 04:44 PM, David C. Rankin wrote:
> Guys,
>
> I have run into a problem with the dhcpd daemon refusing to start when using
> the default hmac-sha256 algorithm for key encryption. A good description of the
> problem is here:
>
> http://www.pubbs.net/201009/dhcp/8256-cant-start-isc-dhcpd-420.html
>

Also,

for some strange reason, I have had to remove DHCP_ARGS from /etc/conf.d/dhcp
to get dhcp to start:

# DHCP_ARGS="-q"
DHCP_ARGS=

After removing "-q", dhcpd starts fine. Anybody else see this behavior? This is
on a brand new install. I have another server running dhcpd and "-q" causes no
problems there. Any ideas on what could make the difference?

--
David C. Rankin, J.D.,P.E.
Rankin Law Firm, PLLC
510 Ochiltree Street
Nacogdoches, Texas 75961
Telephone: (936) 715-9333
Facsimile: (936) 715-9339
www.rankinlawfirm.com
 

Thread Tools




All times are GMT. The time now is 07:46 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org