OMAPI key generation without BIND

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

OMAPI key generation without BIND

Michael De Roover
Hello,

Earlier I've deployed 2 DHCP servers running ISC DHCP. These were
configured to communicate with each other via OMAPI. Online I found
https://kb.isc.org/docs/aa-00502 with which I configured the OMAPI
control channel. I also found
https://kb.isc.org/docs/en/isc-dhcp-44-manual-pages-omapi, however this
appears to be tailored at developers who wish to integrate their
applications with OMAPI.

The former article worked well to configure it,
but it suggests that we use BIND to generate the OMAPI key. I use BIND
on my name servers, and was able to generate a key on one of those name
servers. This does mean however that not only the DHCP servers, but
also the name servers (and my laptop through the clipboard) know this
OMAPI key. I'd rather keep strict boundaries between these environments
and have the DHCP servers capable of generating this key on their own,
preferably without having to install BIND there (as that runs somewhere
else).

The hashing algorithm used to generate these OMAPI keys appears to be
HMAC-MD5. I could not find any standard system utilities that can
generate this kind of key. Are there any such tools available for
conventional Linux systems? Are there any other hashing algorithms that
are supported for this OMAPI key? Alternatively, would it be possible
to include the relevant code from dnssec-keygen in ISC DHCP?

Perhaps this part would be better suited for kea-users, but how well is
DHCP failover supported there? Is it easier to use standard system
tools to generate them for this DHCP server? If so that might be a
reason to upgrade.

Thank you!
--
Michael De Roover <[hidden email]>

_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users