generating TSIG keys with 'dnssec-keygen', get "error reading key file ... bad key type"?
Evan Hunt
each at isc.org
Tue Apr 19 23:25:07 UTC 2016
On Tue, Apr 19, 2016 at 02:57:42PM -0700, jasonsu at mail-central.com wrote:
> Looks like tsig-keygen is also from bind
>
> rpm -q --whatprovides /usr/sbin/dnssec-keygen /usr/sbin/tsig-keygen
> bind-utils-9.10.3P4-215.1.x86_64
> bind-utils-9.10.3P4-215.1.x86_64
>
> I'll sure read up and give tsig-keygen a try.
>
> But, why's using dnssec-keygen 'bad' for TSIG ? Apart from all the
> online tutes that refer to it, from its manpage
It's not "bad", dnssec-keygen can generate TSIG keys fine, it's just that
it's cumbersome to remember all the options, and the keys are generated in
a format that isn't directly useful.
$ dnssec-keygen -a hmac-sha256 -b 256 -n host example.com
Kexample.com.+163+04122
$ cat Kexample.com.+163+04122.key
example.com. IN KEY 512 3 163 n7P55owwAgF5Ky9pts1jvGRtPoRy5tLl2RwAzRnyQvI=
To make this useful in named.conf, you have to cut and paste, thus:
key "example.com" {
algorithm hmac-sha256;
secret "n7P55owwAgF5Ky9pts1jvGRtPoRy5tLl2RwAzRnyQvI=";
};
...whereas that's exactly the format you'd get by simply typing
"tsig-keygen example.com".
(The name "tsig-keygen" was introduced in BIND 9.10; prior to that,
the tool was called "ddns-confgen", and it did essentially the same
thing as it does now, but with some extra comments in the output.)
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list