Port-amd64 archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Changes to named between 7.0 and 9.2?



steve%prd.co.uk@localhost (Steve Blinkhorn) writes:

> Hi Brad,
>
> Well I think I know why there's an error now.  It looks as though on
> the 9.2 installations dnssec-keygen is the more recent version,
> without the HMAC-MD5 algorith, whereas there is no tsig-keygen
> command/executable/manpage.
>
> Should it be somewhere other than in the base.tar.xz set?
>
> --
> Steve Blinkhorn <steve%prd.co.uk@localhost>

..and..

> And just to confirm, adding a symlink named tsig-keygen to
> /usr/sbin/ddns-confgen meeans that nsupdate now works from my 9.2
> installations.  What should it be, a hard link? a separaste copy?  Amd
> is there anything else I might be missing of this kind in 9.2?
> 
> --
> Steve Blinkhorn <steve%prd.co.uk@localhost>

tsig-keygen does not appear to be installed in the base at all, so you
won't find it in any of the sets.  The version of BIND in NetBSD 9.2
appears to be 9.14.7 which is old enough to have tsig-keygen available,
but it appears that the base build does not build and/or install it (it
is also not built and/or installed in -current either).  According to
one source I just read, BIND 9.13.xx was when tsig-keygen was
introduced.

As you have discovered, if you hard link / symlink ddns-confgen to
tsig-keygen you will get a working tsig-keygen command.  The place that
this belongs is in /usr/sbin and all that should be needed is for the
hard link to be created when the OS build runs and to install the man
page (maybe on the man page... ArchLinux didn't and just presents the
ddns-confgen page if you "man tsig-keygen", so maybe just a man page
link).  A PR should probably be filed for this.  This probably will
prevent acme.sh from working at all in the later NetBSD versions.  The
lack of tsig-keygen really should not have messed with the nsupdate
command as that is totally different program.  I didn't look very
closely to what acme.sh and all of its related parts are trying to do,
but if it was trying to run dnssec-keygen with a hmac-md5 argument that
would not work, as you have noticed.  Given the wide range of situations
that acme.sh is trying to support it may be attempting to auto detect
what is available and not finding tsig-keygen falling back to
dnssec-keygen.







-- 
Brad Spencer - brad%anduin.eldar.org@localhost - KC8VKS - http://anduin.eldar.org


Home | Main Index | Thread Index | Old Index