Generate TSIG without special characters in the name

My firewall (pfSense) doesn’t like “.” and the “_” in the beginning of the Domain Key name.

Is it possible to have a custom TSIG generated without punctuations and underscores in the beginning?


Hello Kewin,

sorry for the late response. We’re looking into this issue.

I’m interested, though: What version of pfSense are you running? RFC2845 states under 2.3, “Record format”, that for the key name, the domain name syntax is used. RFC1033 explicitly allows underscores. I’m a bit surprised that pfSense violates those standards. You might want to file a bug with them.

In the meantime, I guess we’ll change the way how (future) key names are generated.

We changed the naming schema of new TSIG keys from to Please generate a new TSIG key.

Hi dmke

I’m running pfSense 2.4.5p1 and I can see they explicitly removed support for anything other than a-z, A-Z 0-9, ‘-’ and ‘_’ in this revision:

Which, as you point out, actually contradicts those RFCs.

I tried circumventing the GUI sanity checks by editing the dhcpd.conf directly and quoting the key name (otherwise dhcpd would crash) and launching the daemon, and it sorta worked:

key "" {
        algorithm hmac-sha512;
        secret *sanitized*;
zone {
        primary6 2a01:4f9:c010:95b::;
        key "";

Before my error messages were these:
Aug 7 15:22:07 router dhcpd: Unable to add forward map from to 2a00:fd00:fff0:a2cd::1009: tsig verify failure

And after editing the file and adding the proper keyname:
Aug 7 15:23:31 router dhcpd: Unable to add forward map from to 2a00:fd00:fff0:a2cd::1009: REFUSED

So, I was able to launch dhcpd with a seemingly correct TSIG key, but now I’m getting “refused” probably due to some mistake/misconception on my behalf.

Does it work, when you use as key name?

Not via GUI (due to the sanitizing taking place after the mentioned revision).

Editing dhcpdv6.conf and defining as keyname almost works. However now I’m getting a NOTIMP response regardless of whatever I try.

Aug 17 14:29:13 router dhcpd: Unable to add forward map from to 2a00:fd00:fff0:a2cd::1c53: NOTIMP

And a packet capture shows this:
|||DNS|328|Dynamic update 0x77fb SOA ANY AAAA 2a00:fd00:fff0:a2cd::1c53 TXT TSIG|
|||DNS|224|Dynamic update response 0x77fb Not implemented SOA TSIG|

So, I’d attribute the GUI sanitation to a “bug” in pfSense or rather misinterpretation of the RFCs and how to manage TSIGs within dhcpd.

I can’t however create a bug report with pfSense until I can show them I can get it working outside of the GUI - which my failed knowledge of RFC2136 is apparently preventing, since I just keep spamming your nameservers with requests you apparently don’t like :slight_smile:

I’ve kept my real IPs within this post, in the case your logs shows I’m doing something incredibly stupid :stuck_out_tongue:

Please try nsupdate to update your addresses. Does it work? If not, please paste your input to nsupdate (of course without the key).

I can indeed get it working if I use the nsupdate tool:

nsupdate <<EOF
  update add 60 AAAA 2a00:fd00:fff0:a2cd::127
  key --snip--


# nslookup
Address: 2a00:fd00:fff0:a2cd::127

So I’ve done alot of packet captures and trial’n’error and found out that it’s because pfSense/ISC DHCP is setting pre-requisites in the update request which I can replicate by doing this:

nsupdate <<EOF
  prereq nxdomain
  update add 60 AAAA 2a00:fd00:fff0:a2cd::127
  key --snip--

update failed: NOTIMP

I don’t know if it is not implemented in your end, or turned off intentionally?