Skip to content

Private-key-format v1.2 with algorithm HMAC-MD5 broken on upgrade 9.18.7 -> 9.18.8

Summary

Upgrading bind-tools 9.18.7 to 9.18.8 broke our calls to nsupdate, with nsupdate now refusing to read the existing key.

$ nsupdate -k Kdyn.space.net.+157+31584.private -v /tmp/upd.txt
09-Nov-2022 19:19:30.108 Kdyn.space.net.+157+31584.private:1: unknown option 'Private-key-format:'
09-Nov-2022 19:19:30.109 Kdyn.space.net.+157+31584.private:4: unexpected token near end of file
could not read key from Kdyn.space.net.+157+31584.{private,key}: unexpected token
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
...
update failed: REFUSED

BIND version used

$ nsupdate -V
nsupdate 9.18.8

Steps to reproduce

This is a standard nsupdate key, containing (key itself redacted)

Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: XXXXXXXX==

and a standard update script containing

server newton.space.net
zone dyn.space.net
update delete openvpn-ma-nomatch.openvpn-tcp.dyn.space.net A
update add openvpn-ma-nomatch.openvpn-tcp.dyn.space.net 300 A 10.40.68.10
show
send
zone 68.40.10.in-addr.arpa
update delete 10.68.40.10.in-addr.arpa PTR
update add 10.68.40.10.in-addr.arpa 300 PTR openvpn-ma-nomatch.openvpn-tcp.dyn.space.net.
show
send

... this works fine with 9.18.7, and does not work with 9.18.8

What is the current bug behavior?

nsupdate complains about not being able to parse the key (see above), and sends an unsigned packet

What is the expected correct behavior?

no error message, send a signed update

Relevant configuration files

(Paste any relevant configuration files - please use code blocks (```) to format console output. If submitting the contents of your configuration file in a non-confidential Issue, it is advisable to obscure key secrets: this can be done automatically by using named-checkconf -px.)

Relevant logs and/or screenshots

(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code, as it's very hard to read otherwise.)

Possible fixes

git bisect leads me to

commit 0bbc0c61e3c98aded2e2b230b52c1d66c8bbd5fe (HEAD)
Author: Mark Andrews <marka@isc.org>
Date:   Thu Sep 15 19:18:53 2022 +1000

    Convert DST_ALG defines to enum and group HMAC algorithms
    
    The HMACs and GSSAPI are just using unallocated values.
    Moving them around shouldn't cause issues.
    Only the dnssec system test knew the internal number in use for hmacmd5.

which moves HMAC_MD5 from 157 to 160 - not sure why that upsets nsupdate, or why that magic number would be exposed anywhere, but this is the commit that breaks things...

Edited by Petr Špaček
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information