Bug 1396985 - dhcpd only supports insecure HMAC-MD5 algorhitm for DDNS
Summary: dhcpd only supports insecure HMAC-MD5 algorhitm for DDNS
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: dhcp
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Pavel Zhukov
QA Contact: Release Test Team
Ioanna Gkioka
Depends On:
Blocks: 1465887 1465928
TreeView+ depends on / blocked
Reported: 2016-11-21 10:29 UTC by Tuomo Soini
Modified: 2020-12-14 07:53 UTC (History)
7 users (show)

Fixed In Version: dhcp-4.2.5-61.el7
Doc Type: Release Note
Doc Text:
`DDNS` now supports additional algorithms Previously, the `dhcpd` daemon supported only the `HMAC-MD5` hashing algorithm which is considered insecure for critical applications. As a consequence, the `Dynamic DNS (DDNS)` updates were potentially insecure. This update adds support for additional algorithms: `HMAC-SHA1`, `HMAC-SHA224`, `HMAC-SHA256`, `HMAC-SHA384`, or `HMAC-SHA512`.
Clone Of:
Last Closed: 2018-04-10 08:00:52 UTC
Target Upstream Version:

Attachments (Terms of Use)
Backported upstream fix (3.77 KB, text/plain)
2016-11-21 10:29 UTC, Tuomo Soini
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1066603 0 low CLOSED [RFE] dhcpd is not able to use HMAC-SHA1 or better for dyndns updates 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2018:0658 0 None None None 2018-04-10 08:01:58 UTC

Internal Links: 1066603

Description Tuomo Soini 2016-11-21 10:29:55 UTC
Created attachment 1222357 [details]
Backported upstream fix

dhcp-4.2.5-47.el7 only supports known to be insecure HMAC-MD5 algorhitm for dynamic dns upates. I'd suggest backporting upstream fix which add support for HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512.

From e4a2cb79b2679738f56b3803a44c9899f6982c09 Mon Sep 17 00:00:00 2001
From: Thomas Markwalder <tmark@isc.org>
Date: Mon, 8 Sep 2014 11:41:44 -0400
Subject: [PATCH] [v4_2] Addes addtional HMAC TSIG algorithms to DDNS

    Merges in rt36947

Comment 12 Tuomo Soini 2018-01-24 20:35:38 UTC
Fix for Doc Text: "HMAC-MD5" - not MD5.

Comment 13 Ioanna Gkioka 2018-01-25 08:09:46 UTC
Fixed. The Doc text updated. Thanks, Tuono.

Comment 16 errata-xmlrpc 2018-04-10 08:00:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.