Panic Time! Key Generation Question
Chris Buxton
chris.p.buxton at gmail.com
Wed Apr 27 06:08:10 UTC 2011
You can safely take the spaces out of the key string. It's base64, so whitespace shouldn't be important, but apparently dhcpd cares.
#!/bin/sh
filebase=$(/usr/local/sbin/dnssec-keygen -a hmac-md5 -b 512 -n HOST keyname)
awk '/^Key: /{print $2}' $filebase.private | sed 's/ //g'
Chris Buxton
BlueCat Networks
On Apr 26, 2011, at 10:52 PM, Martin McCormick wrote:
> I changed our tsig key and broke the world. Actually, the DNS's
> are happy. DHCP appears to be happy, but I am generating bad
> keys.
>
> I wrote a script as follows:
>
> #! /bin/sh
> /usr/local/sbin/dnssec-keygen -a hmac-md5 -b 512 -n HOST keyname
>
> It produced a beautiful-looking key that bind was happy with in
> named.conf. Rndc worked after changing it there so I installed
> it in our production DNS's.
>
> Then the fun started. I put it in dhcpd and it broke
> because there was at least one blank in the string.
>
> After googling a bit, I used all after the blank. This
> made bind happy, still and dhcp worked but the original key no
> longer works so we can't do any manual dynamic updates until I
> install a key that actually works.
>
> Everything I read says to generate the key in pretty
> much this manner so how can I get one that works everywhere
> without white spaces that will blow up dhcpd?
>
> I guess I was lucky before that there wre no spaces in the
> previous key.
>
> Thanks for any help.
>
> Martin McCormick WB5AGZ Stillwater, OK
> Systems Engineer
> OSU Information Technology Department Telecommunications Services Group
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list