Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen
Carsten Strotmann
cas at strotmann.de
Thu Mar 6 07:55:28 UTC 2014
Gaurav Kansal <gaurav.kansal at nic.in> writes:
> I was wondering if HMAC* keys are not used for zone then why the same
> is displayed when we use "dnssec-keygen -h".
the tool "dnssec-keygen" can be used to create both "zone" keys (with
"-n ZONE") for DNSSEC zone signing, and "host" keys (with "-n HOST") for
TSIG signing of the communication between hosts.
Keys of type "zone" are public/private key pairs
(https://en.wikipedia.org/wiki/Public-key_cryptography), whereas key of
type "host" are symmetric keys
(https://en.wikipedia.org/wiki/Symmetric-key_algorithm).
To add to the confusion, "dnssec-keygen" generates two files when used
with "-n HOST":
shell> dnssec-keygen -a HMAC-MD5 -b 512 -n HOST ns1.example.com
Kns1.example.com.+157+16495
shell> ls -l Kns1.example.com.+157+16495.*
-rw------- 1 cas staff 124 Mar 6 08:48
Kns1.example.com.+157+16495.key
-rw------- 1 cas staff 229 Mar 6 08:48
Kns1.example.com.+157+16495.private
These are symmetric TSIG keys, both files contain the same secret key
(although the filename-extensions migh indicate a public-private key
pair)!
To create a DNSSEC "zone" key, use:
shell> dnssec-keygen -a RSASHA512 -b 2048 -n ZONE example.com
Generating key pair...................+++ ..+++
Kexample.com.+010+18335
shell> ls -l Kexample.com.+010+18335.*
-rw-r--r-- 1 cas staff 607 Mar 6 08:51 Kexample.com.+010+18335.key
-rw------- 1 cas staff 1777 Mar 6 08:51
Kexample.com.+010+18335.private
This time the file with the extension ".key" contains the public key
(DNSKEY) resource record, and the file with the extension ".private"
contains the private key.
I agree that it might be nice to change "dnssec-keygen" to make the tool
more userfriendly. The current state-of-things is because of historic
developments in how DNSSEC came to birth.
-- Carsten
More information about the bind-users
mailing list