DDNS and TSIG
Kerry Thompson
kerry at security.geek.nz
Thu Oct 21 22:30:44 UTC 2004
Kevin Darcy said:
> I don't claim to be a crypto expert, but I thought keys of type "ZONE"
> were only for the whole DNSSEC shebang (KEY/DNSKEY records, etc.). The
> dhcp.conf man page example uses a "USER" key type, and I've always used
> a "HOST" key type. Have you tried either of those?
>
>
> - Kevin
Good point.
Running
dnssec-keygen -a HMAC-MD5 -b 128 -p 3 -n ZONE kahn.tnd.lan
gives me an error, "a key with algorithm 'HMAC-MD5' cannot be a zone key".
better to use HOST :
dnssec-keygen -a HMAC-MD5 -b 128 -p 3 -n HOST kahn.tnd.lan
which generates a good key pair. Although, the key data in the config
files can be any old data string, as long as its the right length, and
having it the wrong length may have caused the problem.
--
Kerry Thompson
IT Security Consultant
http://www.crypt.gen.nz
More information about the bind-users
mailing list