Re: Changes to named between 7.0 and 9.2?

[Brad Spencer <brad%anduin.eldar.org@localhost>]

steve%prd.co.uk@localhost (Steve Blinkhorn) writes:

> This is getting ever more bizarre  - my 9.2 installations both failin xactly the same
> way, but /etc/openssl in one case is empty, in the other has lots going on.
>
> Do you - or does anyone else - know how to produce a TSIG that can be inspected,
> base64-decoded, and compared?  The related manpages are so dense, I can't find a way to
> get any purchase on the problem.
>
> I'm very gratefulto you for sticking with this.   My wildcard certificate runs out
> tomorrow :-(
>
> --
> Steve Blinkhorn <steve%prd.co.uk@localhost>


Depending on which version of BIND you have you will use dnssec-keygen
or tsig-keygen.

cd to a clean temporary directory and do something like this:

dnssec-keygen -a HMAC-MD5 -b 64 -n HOST test.com

You will get two files..  either one has the key in it, already base64
encoded.  It is this base64 encoded key that you provide to nsupdate
directly.

Here is a page about using dnssec-keygen and creating keys using it to
secure updates:

https://sort.veritas.com/public/documents/vie/7.1/aix/productguides/html/vcs_bundled_agents/ch03s09s06s06.htm


Using dnssec-keygen was always a bit of an abuse of the tool, so
tsig-keygen came out in later versions.  It works in a simular manor:

% tsig-keygen -a hmac-md5
key "tsig-key" {
        algorithm hmac-md5;
        secret "fvzwN5YnAQ6WyWJt2rmXFw==";
};

The secret, just like dnssec-keygen, is already base64 encoded and
should be used directly in nsupdate that way.  With the python certbot
scripts for Let's Encrypt, you also use this base64 encoded string
directly as well.

For TSIG the key name doesn't matter a whole lot.. it need not be a zone
name for example, you just have to use the name in a consistent manor in
the BIND named.conf file (in the grant lines) and in the key config
files (i.e. the output from tsig-keygen).



-- 
Brad Spencer - brad%anduin.eldar.org@localhost - KC8VKS - http://anduin.eldar.org