Generate TSIG without special characters in the name

My firewall (pfSense) doesn’t like “.” and the “_” in the beginning of the Domain Key name.

Is it possible to have a custom TSIG generated without punctuations and underscores in the beginning?

/Kewin

Hello Kewin,

sorry for the late response. We’re looking into this issue.

I’m interested, though: What version of pfSense are you running? RFC2845 states under 2.3, “Record format”, that for the key name, the domain name syntax is used. RFC1033 explicitly allows underscores. I’m a bit surprised that pfSense violates those standards. You might want to file a bug with them.

In the meantime, I guess we’ll change the way how (future) key names are generated.

We changed the naming schema of new TSIG keys from _123._tsig.dynv6.com to tsig-123.dynv6.com. Please generate a new TSIG key.

Hi dmke

I’m running pfSense 2.4.5p1 and I can see they explicitly removed support for anything other than a-z, A-Z 0-9, ‘-’ and ‘_’ in this revision: https://redmine.pfsense.org/issues/10346

Which, as you point out, actually contradicts those RFCs.

I tried circumventing the GUI sanity checks by editing the dhcpd.conf directly and quoting the key name (otherwise dhcpd would crash) and launching the daemon, and it sorta worked:

key "_148517._tsig.dynv6.com" {
        algorithm hmac-sha512;
        secret *sanitized*;
}
zone lan.skrog.dk. {
        primary6 2a01:4f9:c010:95b::;
        key "_148517._tsig.dynv6.com";
}

Before my error messages were these:
Aug 7 15:22:07 router dhcpd: Unable to add forward map from Google-Nest-Mini.lan.skrog.dk to 2a00:fd00:fff0:a2cd::1009: tsig verify failure

And after editing the file and adding the proper keyname:
Aug 7 15:23:31 router dhcpd: Unable to add forward map from Google-Nest-Mini.lan.skrog.dk to 2a00:fd00:fff0:a2cd::1009: REFUSED

So, I was able to launch dhcpd with a seemingly correct TSIG key, but now I’m getting “refused” probably due to some mistake/misconception on my behalf.

Does it work, when you use tsig-148517.dynv6.com as key name?

Not via GUI (due to the sanitizing taking place after the mentioned revision).

Editing dhcpdv6.conf and defining tsig-151160.dynv6.com as keyname almost works. However now I’m getting a NOTIMP response regardless of whatever I try.

Aug 17 14:29:13 router dhcpd: Unable to add forward map from Google-Nest-Mini.lan.skrog.dk to 2a00:fd00:fff0:a2cd::1c53: NOTIMP

And a packet capture shows this:
|188.228.40.179|95.216.144.82|DNS|328|Dynamic update 0x77fb SOA lan.skrog.dk ANY AAAA 2a00:fd00:fff0:a2cd::1c53 TXT TSIG|
|95.216.144.82|188.228.40.179|DNS|224|Dynamic update response 0x77fb Not implemented SOA lan.skrog.dk TSIG|

So, I’d attribute the GUI sanitation to a “bug” in pfSense or rather misinterpretation of the RFCs and how to manage TSIGs within dhcpd.

I can’t however create a bug report with pfSense until I can show them I can get it working outside of the GUI - which my failed knowledge of RFC2136 is apparently preventing, since I just keep spamming your nameservers with requests you apparently don’t like :slight_smile:

I’ve kept my real IPs within this post, in the case your logs shows I’m doing something incredibly stupid :stuck_out_tongue:

Please try nsupdate to update your addresses. Does it work? If not, please paste your input to nsupdate (of course without the key).

I can indeed get it working if I use the nsupdate tool:

nsupdate <<EOF
  server ns1.dynv6.com
  zone lan.skrog.dk
  update add testmonkey.lan.skrog.dk 60 AAAA 2a00:fd00:fff0:a2cd::127
  key hmac-sha512:tsig-151160.dynv6.com --snip--
  send
EOF

Works.

# nslookup testmonkey.lan.skrog.dk
Name:   testmonkey.lan.skrog.dk
Address: 2a00:fd00:fff0:a2cd::127

So I’ve done alot of packet captures and trial’n’error and found out that it’s because pfSense/ISC DHCP is setting pre-requisites in the update request which I can replicate by doing this:

nsupdate <<EOF
  zone lan.skrog.dk
  prereq nxdomain testmonkey.lan.skrog.dk
  update add testmonkey.lan.skrog.dk 60 AAAA 2a00:fd00:fff0:a2cd::127
  key hmac-sha512:tsig-151160.dynv6.com --snip--
  send
EOF

update failed: NOTIMP

I don’t know if it is not implemented in your end, or turned off intentionally?