Format of 'dig -k' "TSIG key file"?
Joseph S D Yao
jsdy at tux.org
Fri Aug 21 21:52:27 UTC 2009
After some experimenting, here is the whole answer, hinted at by one
response on this mailing list.
On Thu, Jul 30, 2009 at 05:40:54PM -0400, Joseph S D Yao wrote:
...
> In dig(1), the '-k' option is said to require a "TSIG key file" as an
> option. I have a TSIG file with a comment header and the following:
>
> key mynet. { algorithm hmac-md5; secret "Ain/tGonnaTellNoWay=="; };
...
> Running
> dig -k mynet.key axfr example.zone @other.example.zone
> gives me,
> Couldn't read key from mynet.key: label too long
...
> Removing the comment header gives me,
> Couldn't read key from mynet.key: unexpected token
>
> OK. Maybe 'dig' wants a KEY resource record file that looks like it
> came out of 'dnssec-keygen'. I changed it to:
> mynet. IN KEY 512 3 157 Ain/tGonnaTellNoWay==
> and the same command line, on a perfectly readable file, says:
> Couldn't read key from mynet.key: file not found
...
It turned out that this latter file was needed, but for some
inexplicable reason perhaps having to do with library routines [I have
not gone chasing down the code], it ALSO wants the "mynet.private" file!
So I created one:
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: Ain/tGonnaTellNoWay==
The hinted-at part that I had to test to find out is that it needed me
to create BOTH files from the "named.conf" include file, even though the
key and algorithm are the same in both.
Now,
dig -k mynet.key axfr example.zone @other.example.zone
works!
Thanks for all the public and especially the private discussion of this!
--
/*********************************************************************\
**
** Joe Yao jsdy at tux.org - Joseph S. D. Yao
**
\*********************************************************************/
More information about the bind-users
mailing list