TSIG keys
Michael H. Warfield
mhw at wittsend.com
Thu Jun 28 17:02:54 UTC 2001
On Thu, Jun 28, 2001 at 12:05:14PM +0530, Madan Rai wrote:
> hi
> can any body tell me how to generate TSIG keys for master and slave
and how to put them in conf file
> we are running bind 8.2.3 -REL
> Madan Rai
If you look in the Bind9-ARM (Administrators Reference Manual),
there is a pretty good explanation of how to set up TSIG keys. In fact
there is a whole section on generating keys, copying them between
hosts and access control.
The only significant difference between the Bind9-ARM and Bind
version 8 is the name of the keygen program. Bind9 uses dnssec-keygen.
Bind8 uses dnskeygen. They both function the same way and use the same
parameters and generate the same output. Configuration and setup
information is the same between version 8 and version 9.
That being said... There is one gotcha that you should be aware
of, and for which I have published a security advisory. When using
dnssec-keygen or dnskeygen to generate HMAC-MD5 keys for TSIG, the
secret keying material is stored in both the .private and .key files.
The permissions on the .key file is too loose and other users on the
system may be able to read the file and obtain the key material. This
is not a good thing. :-) Make sure your directory is chmoded 700 and
set umask to 066 before running either dnskeygen or dnssec-keygen.
> Madan Rai
> Net4India Ltd.
> www.net4india.com
> Phone - +91-11- 610 2911,610 4227
> Fax- +91-11-6102781
Mike
--
Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
More information about the bind-users
mailing list