Changes since 4.3.1
+- TSIG-authenticated dynamic DNS updates now support the use of these
+ additional algorithms: hmac-sha1, hmac_sha224, hmac_sha256, hmac_sha384,
+ and hmac_sha512
+ [ISC-Bugs #36947]
+
- Corrected rate limiting checks for bad packet logging.
[ISC-Bugs #36897]
connections to the isc and dns libraries */
/*
- * Copyright (c) 2009,2013 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 2009,2013,2014 by Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
#define DHCP_MAXDNS_WIRE 256
#define DHCP_MAXNS 3
#define DHCP_HMAC_MD5_NAME "HMAC-MD5.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA1_NAME "HMAC-SHA1.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA224_NAME "HMAC-SHA224.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA256_NAME "HMAC-SHA256.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA384_NAME "HMAC-SHA384.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA512_NAME "HMAC-SHA512.SIG-ALG.REG.INT."
isc_result_t dhcp_isc_name(unsigned char *namestr,
dns_fixedname_t *namefix,
dns_name_t *name;
dns_fixedname_t name0;
isc_buffer_t b;
+ unsigned int algorithm_code;
isc_buffer_init(&b, secret, length);
isc_buffer_add(&b, length);
- /* We only support HMAC_MD5 currently */
- if (strcasecmp(algorithm, DHCP_HMAC_MD5_NAME) != 0) {
+ if (strcasecmp(algorithm, DHCP_HMAC_MD5_NAME) == 0) {
+ algorithm_code = DST_ALG_HMACMD5;
+ } else if (strcasecmp(algorithm, DHCP_HMAC_SHA1_NAME) == 0) {
+ algorithm_code = DST_ALG_HMACSHA1;
+ } else if (strcasecmp(algorithm, DHCP_HMAC_SHA224_NAME) == 0) {
+ algorithm_code = DST_ALG_HMACSHA224;
+ } else if (strcasecmp(algorithm, DHCP_HMAC_SHA256_NAME) == 0) {
+ algorithm_code = DST_ALG_HMACSHA256;
+ } else if (strcasecmp(algorithm, DHCP_HMAC_SHA384_NAME) == 0) {
+ algorithm_code = DST_ALG_HMACSHA384;
+ } else if (strcasecmp(algorithm, DHCP_HMAC_SHA512_NAME) == 0) {
+ algorithm_code = DST_ALG_HMACSHA512;
+ } else {
return(DHCP_R_INVALIDARG);
}
return(result);
}
- return(dst_key_frombuffer(name, DST_ALG_HMACMD5, DNS_KEYOWNER_ENTITY,
+ return(dst_key_frombuffer(name, algorithm_code, DNS_KEYOWNER_ENTITY,
DNS_KEYPROTO_DNSSEC, dns_rdataclass_in,
&b, dhcp_gbl_ctx.mctx, dstkey));
}
.\" dhcpd.conf.5
.\"
-.\" Copyright (c) 2004-2013 by Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (c) 2004-2014 by Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (c) 1996-2003 by Internet Software Consortium
.\"
.\" Permission to use, copy, modify, and distribute this software for any
dnssec-keygen -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER
.fi
.PP
+The key name, algorithm, and secret must match that being used by the DNS
+server. The DHCP server currently supports the following algorithms:
+.nf
+
+ HMAC-MD5
+ HMAC-SHA1
+ HMAC-SHA224
+ HMAC-SHA256
+ HMAC-SHA384
+ HMAC-SHA512
+.fi
+.PP
You may wish to enable logging of DNS updates on your DNS server.
To do so, you might write a logging statement like the following:
.PP