My firewall (pfSense) doesn’t like “.” and the “_” in the beginning of the Domain Key name.
Is it possible to have a custom TSIG generated without punctuations and underscores in the beginning?
/Kewin
My firewall (pfSense) doesn’t like “.” and the “_” in the beginning of the Domain Key name.
Is it possible to have a custom TSIG generated without punctuations and underscores in the beginning?
/Kewin
Hello Kewin,
sorry for the late response. We’re looking into this issue.
I’m interested, though: What version of pfSense are you running? RFC2845 states under 2.3, “Record format”, that for the key name, the domain name syntax is used. RFC1033 explicitly allows underscores. I’m a bit surprised that pfSense violates those standards. You might want to file a bug with them.
In the meantime, I guess we’ll change the way how (future) key names are generated.
We changed the naming schema of new TSIG keys from _123._tsig.dynv6.com
to tsig-123.dynv6.com
. Please generate a new TSIG key.
Hi dmke
I’m running pfSense 2.4.5p1 and I can see they explicitly removed support for anything other than a-z, A-Z 0-9, ‘-’ and ‘_’ in this revision: https://redmine.pfsense.org/issues/10346
Which, as you point out, actually contradicts those RFCs.
I tried circumventing the GUI sanity checks by editing the dhcpd.conf directly and quoting the key name (otherwise dhcpd would crash) and launching the daemon, and it sorta worked:
key "_148517._tsig.dynv6.com" {
algorithm hmac-sha512;
secret *sanitized*;
}
zone lan.skrog.dk. {
primary6 2a01:4f9:c010:95b::;
key "_148517._tsig.dynv6.com";
}
Before my error messages were these:
Aug 7 15:22:07 router dhcpd: Unable to add forward map from Google-Nest-Mini.lan.skrog.dk to 2a00:fd00:fff0:a2cd::1009: tsig verify failure
And after editing the file and adding the proper keyname:
Aug 7 15:23:31 router dhcpd: Unable to add forward map from Google-Nest-Mini.lan.skrog.dk to 2a00:fd00:fff0:a2cd::1009: REFUSED
So, I was able to launch dhcpd with a seemingly correct TSIG key, but now I’m getting “refused” probably due to some mistake/misconception on my behalf.
Does it work, when you use tsig-148517.dynv6.com
as key name?
Not via GUI (due to the sanitizing taking place after the mentioned revision).
Editing dhcpdv6.conf and defining tsig-151160.dynv6.com as keyname almost works. However now I’m getting a NOTIMP response regardless of whatever I try.
Aug 17 14:29:13 router dhcpd: Unable to add forward map from Google-Nest-Mini.lan.skrog.dk to 2a00:fd00:fff0:a2cd::1c53: NOTIMP
And a packet capture shows this:
|188.228.40.179|95.216.144.82|DNS|328|Dynamic update 0x77fb SOA lan.skrog.dk ANY AAAA 2a00:fd00:fff0:a2cd::1c53 TXT TSIG|
|95.216.144.82|188.228.40.179|DNS|224|Dynamic update response 0x77fb Not implemented SOA lan.skrog.dk TSIG|
So, I’d attribute the GUI sanitation to a “bug” in pfSense or rather misinterpretation of the RFCs and how to manage TSIGs within dhcpd.
I can’t however create a bug report with pfSense until I can show them I can get it working outside of the GUI - which my failed knowledge of RFC2136 is apparently preventing, since I just keep spamming your nameservers with requests you apparently don’t like
I’ve kept my real IPs within this post, in the case your logs shows I’m doing something incredibly stupid
Please try nsupdate to update your addresses. Does it work? If not, please paste your input to nsupdate (of course without the key).
I can indeed get it working if I use the nsupdate tool:
nsupdate <<EOF
server ns1.dynv6.com
zone lan.skrog.dk
update add testmonkey.lan.skrog.dk 60 AAAA 2a00:fd00:fff0:a2cd::127
key hmac-sha512:tsig-151160.dynv6.com --snip--
send
EOF
Works.
# nslookup testmonkey.lan.skrog.dk
Name: testmonkey.lan.skrog.dk
Address: 2a00:fd00:fff0:a2cd::127
So I’ve done alot of packet captures and trial’n’error and found out that it’s because pfSense/ISC DHCP is setting pre-requisites in the update request which I can replicate by doing this:
nsupdate <<EOF
zone lan.skrog.dk
prereq nxdomain testmonkey.lan.skrog.dk
update add testmonkey.lan.skrog.dk 60 AAAA 2a00:fd00:fff0:a2cd::127
key hmac-sha512:tsig-151160.dynv6.com --snip--
send
EOF
update failed: NOTIMP
I don’t know if it is not implemented in your end, or turned off intentionally?
Did you solve your problem?
I’m having the same issue and I’m not able to figure out a solution.
Here it is working fine.
Did you try with a nsupdate based script with the prereq section or with dhcpd?
What version did you use?
I did it within newest pfSense CE:
I understand.
As far as I know pfSense should use internally dhcpd so I expect that dhcpd should work.
When my dhcpd server tries to add an entry to the dns it sets in the request a prerequisite that is not accepted.
I sniffed the network and I found that this nsupdate base script generates the same kind of request, which of course fails also:
#!/bin/sh
nsupdate <<EOF
server 2a01:4f9:c010:95b::
prereq nxdomain myhost.myzone.dynv6.net
zone myzone.dynv6.net
update add myhost.myzone.dynv6.net 60 AAAA XXXX:XXXX:XXXX:XXXX:XXXX::2
key hmac-sha256:MY_KEY_NAME MY_KEY
send
EOF
(of course I removed sensitive infos from the script)
I never had any luck with the dhcp server doing it.
But with the RFC 2136 Client in pfSense, you can update the (dynamic) prefix and dynv6.com allows you to map that to a (static) host part.
So in the end, you get working DDNS for every host on pfSense, which is why I am using dynv6.com.
At the end I solved using the kea-dhcp6 server with custom hooks for starting nsupdate.
Even from kea-dhcp6 (or, more properly, from kea-dhcp-ddns) the ddns update was failing with “NOTIMP” answer, so I decided to give up trying to make it work and I implemented a custom solution.