Port-amd64 archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Changes to named between 7.0 and 9.2?
And just to confirm, adding a symlink named tsig-keygen to
/usr/sbin/ddns-confgen meeans that nsupdate now works from my 9.2
installations. What should it be, a hard link? a separaste copy? Amd
is there anything else I might be missing of this kind in 9.2?
--
Steve Blinkhorn <steve%prd.co.uk@localhost>
I wrote:
>
> Hi Brad,
>
> Well I think I know why there's an error now. It looks as though on
> the 9.2 installations dnssec-keygen is the more recent version,
> without the HMAC-MD5 algorith, whereas there is no tsig-keygen
> command/executable/manpage.
>
> Should it be somewhere other than in the base.tar.xz set?
>
> --
> Steve Blinkhorn <steve%prd.co.uk@localhost>
>
> You wrote:
> >
> > steve%prd.co.uk@localhost (Steve Blinkhorn) writes:
> >
> > > This is getting ever more bizarre - my 9.2 installations both failin xactly the same
> > > way, but /etc/openssl in one case is empty, in the other has lots going on.
> > >
> > > Do you - or does anyone else - know how to produce a TSIG that can be inspected,
> > > base64-decoded, and compared? The related manpages are so dense, I can't find a way to
> > > get any purchase on the problem.
> > >
> > > I'm very gratefulto you for sticking with this. My wildcard certificate runs out
> > > tomorrow :-(
> > >
> > > --
> > > Steve Blinkhorn <steve%prd.co.uk@localhost>
> >
> >
> > Depending on which version of BIND you have you will use dnssec-keygen
> > or tsig-keygen.
> >
> > cd to a clean temporary directory and do something like this:
> >
> > dnssec-keygen -a HMAC-MD5 -b 64 -n HOST test.com
> >
> > You will get two files.. either one has the key in it, already base64
> > encoded. It is this base64 encoded key that you provide to nsupdate
> > directly.
> >
> > Here is a page about using dnssec-keygen and creating keys using it to
> > secure updates:
> >
> > https://sort.veritas.com/public/documents/vie/7.1/aix/productguides/html/vcs_bundled_agents/ch03s09s06s06.htm
> >
> >
> > Using dnssec-keygen was always a bit of an abuse of the tool, so
> > tsig-keygen came out in later versions. It works in a simular manor:
> >
> > % tsig-keygen -a hmac-md5
> > key "tsig-key" {
> > algorithm hmac-md5;
> > secret "fvzwN5YnAQ6WyWJt2rmXFw==";
> > };
> >
> > The secret, just like dnssec-keygen, is already base64 encoded and
> > should be used directly in nsupdate that way. With the python certbot
> > scripts for Let's Encrypt, you also use this base64 encoded string
> > directly as well.
> >
> > For TSIG the key name doesn't matter a whole lot.. it need not be a zone
> > name for example, you just have to use the name in a consistent manor in
> > the BIND named.conf file (in the grant lines) and in the key config
> > files (i.e. the output from tsig-keygen).
> >
> >
> >
> > --
> > Brad Spencer - brad%anduin.eldar.org@localhost - KC8VKS - http://anduin.eldar.org
> >
>
>
Home |
Main Index |
Thread Index |
Old Index