dnssec-keygen: a key with algorithm 'HMAC-MD5' cannot be a zone key
Mark Andrews
Mark_Andrews at isc.org
Sat May 10 00:13:43 UTC 2008
> I used to successfully generate keys when I have BIND 9.2 installed on
> my host using the following
> commandline
>
> # dnssec-keygen -a HMAC-MD5 -b 128 -n ZONE mykey-otherkey
>
> I upgraded my host to with BIND 9.3 and used the same command line
> above to get the following
> error:
>
> # dnssec-keygen -a HMAC-MD5 -b 128 -n ZONE mykey-otherkey
>
> dnssec-keygen: a key with algorithm 'HMAC-MD5' cannot be a zone key
>
> What exactly changed?
-n ZONE sets appropriate KEY/DNSKEY flags.
HMAC-* and DH keys are not zone keys.
> What is the alternative?
-n HOST
> If I use HOST instead of ZONE what impact will it have on the
> generated keys?
none.
> I can't downgrade to BIND 9.2 just to make the above work. Also I
> can't have BIND 9.2 and BIND 9.3 both
> on my host.
>
> All my script may require change. But please let me know the side
> effect?
>
> thanks
> Blr
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list