[Bug 797356] Re: dhcp server does not support HMAC-SHA256

Falcon Darkstar Momot falcon at iridiumlinux.org
Tue Nov 19 11:38:36 UTC 2013


I find that this bug continues to exist in isc-dhcpd-4.2.4.

Also, it affects not only HMAC-SHA256, but HMAC-SHA{1,224,256,384,512}.
The only working algorithm is HMAC-MD5, which we don't want to use for
obvious reasons.

If another algorithm is specified, the server prints to the syslog that
it is "Unable to create tsec structure for %s", and all future DNS
updates are sent only unauthenticated, and are not retried after being
refused.  It no longer reports "bad DNS key", but it does warn that the
tsec is missing each time it attempts an update.

** Tags removed: natty
** Tags added: saucy

** Changed in: isc-dhcp (Ubuntu)
       Status: Expired => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/797356

Title:
  dhcp server does not support HMAC-SHA256

Status in “isc-dhcp” package in Ubuntu:
  Confirmed

Bug description:
  It seems the isc-dhcp server either does not support HMAC-SHA256 or it
  is broken.

  Steps to reproduce
  Setup a ddns using isc-dhcp and bind9.  Use a HMAC-MD5 key between dhcp and bind
  Confirm that the setup is working.  Then repeat these steps:

  mpower at dodtsair:~/dnssec-keygen -a HMAC-SHA256 -b 256 -n HOST dhcp
  Kdhcp.+163+35012
  mpower at dodtsair:~/temp$ cat Kdhcp.+163+35012.*
  dhcp. IN KEY 512 3 163 N1fUVe1skmNjDOhlkbBbGOFiHHIah9kIUuw9Oj5e/34=
  Private-key-format: v1.3
  Algorithm: 163 (HMAC_SHA256)
  Key: N1fUVe1skmNjDOhlkbBbGOFiHHIah9kIUuw9Oj5e/34=
  Bits: AAA=
  Created: 20110614185327
  Publish: 20110614185327
  Activate: 20110614185327
  mpower at dodtsair:~/temp$ sudo vim /etc/dhcp/dhcpd.conf 
  mpower at dodtsair:~/temp$ sudo cat /etc/dhcp/dhcpd.conf 
  ...
  #key dhcp {
  #        algorithm HMAC-MD5;
  #        secret "######################################";
  #};

  key dhcp {
          algorithm HMAC-SHA256;
          secret "N1fUVe1skmNjDOhlkbBbGOFiHHIah9kIUuw9Oj5e/34=";
  };
  ...
  mpower at dodtsair:~/temp$ sudo vim /etc/bind/named.conf.d/localnet.conf 
  mpower at dodtsair:~/temp$ sudo cat /etc/bind/named.conf.d/localnet.conf 
  ...
  #key dhcp {
  #	algorithm HMAC-MD5;
  #	secret "#####################################";
  #};

  key dhcp {
  	algorithm HMAC-SHA256;
  	secret "N1fUVe1skmNjDOhlkbBbGOFiHHIah9kIUuw9Oj5e/34=";
  };
  ...
  mpower at dodtsair:~/temp$ sudo /etc/init.d/bind9 restart
   * Stopping domain name service... bind9                                 [ OK ] 
   * Starting domain name service... bind9                                 [ OK ] 
  mpower at dodtsair:~/temp$ sudo /etc/init.d/isc-dhcp-server restart
   * Stopping ISC DHCP server dhcpd                                        [ OK ] 
   * Starting ISC DHCP server dhcpd                                        [ OK ]

  tail -f /var/log/syslog
  ...
  Jun 14 11:58:51 dodtsair dhcpd: if ubuntu1104.localnet. IN TXT "00e1de827daf7686f48ceb1c68e524f0bb" rrset exists and ubuntu1104.localnet. IN A 192.168.122.2 rrset exists delete ubuntu1104.localnet. IN A 192.168.122.2: bad DNS key.
  Jun 14 11:58:51 dodtsair dhcpd: DHCPREQUEST for 192.168.122.2 from 52:54:00:0e:b5:00 via virbr0
  Jun 14 11:58:51 dodtsair dhcpd: DHCPACK on 192.168.122.2 to 52:54:00:0e:b5:00 (ubuntu1104) via virbr0
  ...
  HMAC-MD5 works HMAC-SHA256 does not.  MD5 is fairly broken, SHA1 is on the way out.  SHA256 is next my list of secure hashes to use.  

  Note also dhcp servers cryptic error message "bad DNS key".  DHCP
  should verify it supports the key algorithm on start up not on first
  use.  It should also state something more like "bad DNS key algorithm:
  HMAC-SHA256, not supported by dhcpd"

  ProblemType: Bug
  DistroRelease: Ubuntu 11.04
  Package: isc-dhcp-server 4.1.1-P1-15ubuntu9
  ProcVersionSignature: Ubuntu 2.6.38-8.42-generic 2.6.38.2
  Uname: Linux 2.6.38-8-generic x86_64
  Architecture: amd64
  Date: Tue Jun 14 12:00:03 2011
  ProcEnviron:
   LANGUAGE=en_US:en
   PATH=(custom, user)
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: isc-dhcp
  UpgradeStatus: Upgraded to natty on 2011-05-17 (28 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/797356/+subscriptions



More information about the foundations-bugs mailing list