dnssec-key 'unknown algorithm RSASHA512'

Sat Jan 13 01:43:49 UTC 2024

Oh, please do not forget to generate new my-tsig after sharing your 
current with all of us.

Next time please use named-checkconf -px named.conf.tsigkeys to filter 
out secrets.

As Anand already wrote, shared keys are not asymmetric keys generated by 
dnssec-keygen. That have been split since 9.16 into separate generators 
focused only on shared keys. Use tsig-keygen or ddns-confgen to create 
shared keys. dnssec-keygen is now only for generating keys with .private 
part, which are used in DNSSEC signing only, used in zone files. Usually 
not for anything related to ACLs, as for example dynamic updates. 
ddns-confgen is exactly for that.

Cheers, Petr

On 1/11/24 12:58, trgapp16 via bind-users wrote:
> Hello,
> Bind version - 9.18.12
>
> -->This is the command I used for generating dnssec-keygen keys -
>
> root at dhcpt: /etc/bind# dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.com
> Kexample.com.+013+43215.key
> Kexample.com.+013+43215.private
>
> root at dhcpt:/etc/bind# cat Kexample.com.+013+43215.private
> Private-key-format: v1.3
> Algorithm: 13 (ECDSAP256SHA256)
> PrivateKey: ESkrVALONh7Rj4UZVsOy54Y2SIJiY5HYhoQdxJLuWPk=
> Created: 20240111045202
> Publish: 20240111045202
> Activate: 20240111045202
>
> -->With help of the private key i generated one file with name "named.conf.tsigkeys" at
> /etc/bind -
>   
> root at dhcpt:/etc/bind# cat named.conf.tsigkeys
>
> key "my-tsig" {
>     algorithm "ECDSAP256SHA256";
>     secret "ESkrVALONh7Rj4UZVsOy54Y2SIJiY5HYhoQdxJLuWPk=";
> };
>
> --> below is the error received when i restart named service
>
> root at dhcpt:/etc/bind# named-checkconf
> /etc/bind/named.conf.tsigkeys:2: unknown algorithm 'ECDSAP256SHA256'
>
> Any help is greatly appreciated.
>
> Regards,
> Mounika
>
>
> On Thu, 11 Jan 2024 15:49:18 +1100, Mark Andrews wrote
>> Firstly show what you are actually doing.  It it too much for you to actually
>> cut-and-paste what you are doing?
>>
>> Secondly BIND 9.18 is at 9.18.22.  Version 9.18.8 is seriously out of date.
>>
>>> On 11 Jan 2024, at 15:21, pvs via bind-users<bind-users at lists.isc.org>  wrote:
>>>
>>> Hello,
>>>
>>> I'm  using ubuntu 22.04 server on which bind 9.18.8 service is running.
>>> I'm trying to generate dnssec-key by using the command  "dnssec-keygen -a RSASHA512
> -b 2048 -n zone example.com"
>>> After doing this, it is generating both public key and private key.  When I generate
> a file with aprivate key in /etc/bind directory, it is throwing error  'unknown
> algorithm 'RSASHA512'
>>> Same error is thrown when tried with other algorithms like ECDSAP256SHA256, RSASHA1,
> RSASHA256 etc
>>> Any help is greatly appreciated.
>>>
>>> -- 
>>> Regards,
>>>
>>> पं. विष्णु शंकर P. Vishnu Sankar
>>> टीम लीडर Team Leader-Network Operations
>>> सी-डॉट C-DOT
>>> इलैक्ट्रॉनिक्स सिटी फेज़ I Electronics City Phase I
>>> होसूर रोड बेंगलूरु Hosur Road Bengaluru – 560100
>>> फोन Ph 91 80 25119466
>>> ------------------------------------------------------
>>> Disclaimer :
>>> This email and any files transmitted with it are confidential and intended solely
> for the use of the individual or entity to whom they are addressed.
>>> If you are not the intended recipient you are notified that disclosing, copying,
> distributing or taking any action in reliance on the contents of this information is
> strictly prohibited.
>>> The sender does not accept liability for any errors or omissions in the contents of
> this message, which arise as a result.
>>> -- 
>>> Visithttps://lists.isc.org/mailman/listinfo/bind-users  to unsubscribe from this
> list
>>> ISC funds the development of this software with paid support subscriptions. Contact
> us athttps://www.isc.org/contact/  for more information.
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>> -- 
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742              INTERNET:marka at isc.org
>>
>> -- 
>> Visithttps://lists.isc.org/mailman/listinfo/bind-users  to unsubscribe from
>> this list
>>
>> ISC funds the development of this software with paid support subscriptions.
>> Contact us athttps://www.isc.org/contact/  for more information.
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
> ### Please consider the environment and print this email only if necessary . Go Green
> ###
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Disclaimer :
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you are not the intended recipient you are notified that disclosing,
> copying, distributing or taking any action in reliance on the contents of this
> information is strictly prohibited. The sender does not accept liability
> for any errors or omissions in the contents of this message, which arise as a
> result.
>
> --
> Open WebMail Project (http://openwebmail.org)
>
-- 
Petr Menšík
Software Engineer, RHEL
Red Hat,https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240113/ef0426e1/attachment.htm>