Port-amd64 archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Changes to named between 7.0 and 9.2?
Hi Brad,
Well I think I know why there's an error now. It looks as though on
the 9.2 installations dnssec-keygen is the more recent version,
without the HMAC-MD5 algorith, whereas there is no tsig-keygen
command/executable/manpage.
Should it be somewhere other than in the base.tar.xz set?
--
Steve Blinkhorn <steve%prd.co.uk@localhost>
You wrote:
>
> steve%prd.co.uk@localhost (Steve Blinkhorn) writes:
>
> > This is getting ever more bizarre - my 9.2 installations both failin xactly the same
> > way, but /etc/openssl in one case is empty, in the other has lots going on.
> >
> > Do you - or does anyone else - know how to produce a TSIG that can be inspected,
> > base64-decoded, and compared? The related manpages are so dense, I can't find a way to
> > get any purchase on the problem.
> >
> > I'm very gratefulto you for sticking with this. My wildcard certificate runs out
> > tomorrow :-(
> >
> > --
> > Steve Blinkhorn <steve%prd.co.uk@localhost>
>
>
> Depending on which version of BIND you have you will use dnssec-keygen
> or tsig-keygen.
>
> cd to a clean temporary directory and do something like this:
>
> dnssec-keygen -a HMAC-MD5 -b 64 -n HOST test.com
>
> You will get two files.. either one has the key in it, already base64
> encoded. It is this base64 encoded key that you provide to nsupdate
> directly.
>
> Here is a page about using dnssec-keygen and creating keys using it to
> secure updates:
>
> https://sort.veritas.com/public/documents/vie/7.1/aix/productguides/html/vcs_bundled_agents/ch03s09s06s06.htm
>
>
> Using dnssec-keygen was always a bit of an abuse of the tool, so
> tsig-keygen came out in later versions. It works in a simular manor:
>
> % tsig-keygen -a hmac-md5
> key "tsig-key" {
> algorithm hmac-md5;
> secret "fvzwN5YnAQ6WyWJt2rmXFw==";
> };
>
> The secret, just like dnssec-keygen, is already base64 encoded and
> should be used directly in nsupdate that way. With the python certbot
> scripts for Let's Encrypt, you also use this base64 encoded string
> directly as well.
>
> For TSIG the key name doesn't matter a whole lot.. it need not be a zone
> name for example, you just have to use the name in a consistent manor in
> the BIND named.conf file (in the grant lines) and in the key config
> files (i.e. the output from tsig-keygen).
>
>
>
> --
> Brad Spencer - brad%anduin.eldar.org@localhost - KC8VKS - http://anduin.eldar.org
>
Home |
Main Index |
Thread Index |
Old Index