dnssec-keygen: a key with algorithm 'HMAC-MD5' cannot be a zone key

[blrmaani]

Yes, I am looking for the same secret and the format is Kname.+nnn.
+nnnnn.[private|key].
I tried HOST option and it worked well in my test environment..

thanks a lot
Blr

On May 9, 7:27 pm, Chris Buxton <cbux... at menandmice.com> wrote:
> A zone key is a DNSSEC key. A host key is a TSIG key. Based on your
> keyname, I'm going to guess you're aiming for a TSIG key here - if I'm
> not mistaken, a DNSSEC key must have the same name as the zone it will
> be used to sign.
>
> In which case, it sounds like previous versions of dnssec-keygen were
> just silently switching to host keys on your behalf. In which case,
> there should be no downside at all to fixing your scripts.
>
> What type of output files are you expecting from this command? Two
> files containing the same secret, or a "Kname.+nnn.+nnnnn.private"
> file that contains exponents and primes and such? If you're looking
> for the same secret in both files, then you're really looking for a
> host key.
>
> Chris Buxton
> Professional Services
> Men & Mice
>
> On May 9, 2008, at 4:02 PM, blrmaani wrote:
>
> > I used to successfully generate keys when I have BIND 9.2 installed on
> > my host using the following
> > commandline
>
> > # dnssec-keygen -a HMAC-MD5 -b 128 -n ZONE mykey-otherkey
>
> > I upgraded my host to with BIND 9.3 and used the same command line
> > above to get the following
> > error:
>
> > # dnssec-keygen -a HMAC-MD5 -b 128 -n ZONE mykey-otherkey
>
> > dnssec-keygen: a key with algorithm 'HMAC-MD5' cannot be a zone key
>
> > What exactly changed? What is the alternative? If I use HOST instead
> > of ZONE what impact will it
> > have on the generated keys?
>
> > I can't downgrade to BIND 9.2 just to make the above work. Also I
> > can't have BIND 9.2 and BIND 9.3 both
> > on my host.
>
> > All my script may require change. But please let me know the side
> > effect?
>
> > thanks
> > Blr