rndc key for bind 9.3.0. catch-22?

Jason Vas Dias jvdias at redhat.com
Mon Dec 6 18:51:15 UTC 2004 

On Mon, 2004-12-06 at 12:47, Christopher L. Barnard wrote:
> I am confused.  This is bind 9.3.0.
> 
> from the rndc man page:
> 
> [...] In the current versions of rndc and named  named  the
>      only  supported  authentication algorithm is HMAC-MD5 [...]
> 
> however, when I try to generate a key
> 
> root#> /opt/local/sbin/dnssec-keygen -a hmac-md5 -b 512 -n ZONE cbot.com
> dnssec-keygen: a key with algorithm 'hmac-md5' cannot be a zone key
> 
> That dnssec-keygen command worked fine with bind9 prior to version 9.3.0.
> An existing key works fine on a server that has been upgraded to bind
> 9.3.0 from 9.2.3.  However a new installation of bind 9.3.0 fails because
> I cannot generate the key for rndc.  How do I generate a key for the
> /etc/rndc.conf file with bind version 9.3.0?
> 
> +-----------------------------------------------------------------------+
> | Christopher L. Barnard         O     When I was a boy I was told that |
> | cbarnard at tsg.cbot.com         / \    anybody could become president.  |
> | (312) 347-4901               O---O   Now I'm beginning to believe it. |
> | http://www.cs.uchicago.edu/~cbarnard                --Clarence Darrow |
> +----------PGP public key available via finger or PGP keyserver---------+
> 
> 
You could substitute 'HOST' for 'ZONE' in the dnssec-keygen command, and
then copy the generated key (the last field of the KEY record) from 
either the K*.public or K*.private files (removing spaces) into the
'rndc.key' file.

Alternatively, you could use the attached C-program
which generates a usable hmac-md5 key on stdout. 
This is used by Red Hat's BIND distribution to generate
the initial rndc.key :

---  BEGIN "keygen.c" C program attachment 
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
        FILE *f=fopen("/dev/urandom", "r");
        char key[61];
        int i=0;
        char tmp;
        memset(key, 0, 61);
        while(i<60) {
                tmp=fgetc(f);
                if((tmp>='a' && tmp<='z') ||
                   (tmp>='A' && tmp<='Z') ||
                   (tmp>='0' && tmp<='9'))
                        key[i++]=tmp;
        }
        puts(key);
        fclose(f);
}
--- END C program attachment

To build:
$ cc -o dns-keygen keygen.c
To Run:
$ ./dns-keygen
vAPjDZR1EYNGjlzufOUU4zLvJvUkRbXbfMrb2t4xWTHyyinapBXWauUxzgrO

More information about the bind-users mailing list