generating TSIG keys with 'dnssec-keygen', get "error reading key file ... bad key type"?
Evan Hunt
each at isc.org
Wed Apr 20 00:19:30 UTC 2016
> Sure that's what I was doing anyway.
>
> To be clean, I'm not saying it's bad.
>
> It's returning the "bad key type" .
>
> I'm just trying to understand what the problem is.
I'm sorry, I hadn't read your initial message clearly enough.
The "bad key type" message is a bug; it's been there for a while
but I never noticed it, probably because I never ran dnssec-keygen
twice in a row for the same name before. It's cosmetic and harmless,
but I'll open a ticket to fix it. I may not get to it very soon,
though.
What's happening is dnssec-keygen is looking for an existing
key whose keytag collides with the one just generated; it finds
a key file from the first time you ran dnssec-keygen, opens it,
and then complains because it contains type KEY instead of type
DNSKEY. KEY is in fact what *should* be there, but the collision-
checking function is expectingly DNSKEY, and so it complains.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list