Re: Changes to named between 7.0 and 9.2?

To: brad%anduin.eldar.org@localhost (Brad Spencer)
Subject: Re: Changes to named between 7.0 and 9.2?
From: steve%prd.co.uk@localhost (Steve Blinkhorn)
Date: Wed, 11 May 2022 14:13:56 +0000 (UTC)

Hi Brad,

Well I think I know why there's an error now.  It looks as though on
the 9.2 installations dnssec-keygen is the more recent version,
without the HMAC-MD5 algorith, whereas there is no tsig-keygen
command/executable/manpage.

Should it be somewhere other than in the base.tar.xz set?

--
Steve Blinkhorn <steve%prd.co.uk@localhost>

You wrote:
> 
> steve%prd.co.uk@localhost (Steve Blinkhorn) writes:
> 
> > This is getting ever more bizarre  - my 9.2 installations both failin xactly the same
> > way, but /etc/openssl in one case is empty, in the other has lots going on.
> >
> > Do you - or does anyone else - know how to produce a TSIG that can be inspected,
> > base64-decoded, and compared?  The related manpages are so dense, I can't find a way to
> > get any purchase on the problem.
> >
> > I'm very gratefulto you for sticking with this.   My wildcard certificate runs out
> > tomorrow :-(
> >
> > --
> > Steve Blinkhorn <steve%prd.co.uk@localhost>
> 
> 
> Depending on which version of BIND you have you will use dnssec-keygen
> or tsig-keygen.
> 
> cd to a clean temporary directory and do something like this:
> 
> dnssec-keygen -a HMAC-MD5 -b 64 -n HOST test.com
> 
> You will get two files..  either one has the key in it, already base64
> encoded.  It is this base64 encoded key that you provide to nsupdate
> directly.
> 
> Here is a page about using dnssec-keygen and creating keys using it to
> secure updates:
> 
> https://sort.veritas.com/public/documents/vie/7.1/aix/productguides/html/vcs_bundled_agents/ch03s09s06s06.htm
> 
> 
> Using dnssec-keygen was always a bit of an abuse of the tool, so
> tsig-keygen came out in later versions.  It works in a simular manor:
> 
> % tsig-keygen -a hmac-md5
> key "tsig-key" {
>         algorithm hmac-md5;
>         secret "fvzwN5YnAQ6WyWJt2rmXFw==";
> };
> 
> The secret, just like dnssec-keygen, is already base64 encoded and
> should be used directly in nsupdate that way.  With the python certbot
> scripts for Let's Encrypt, you also use this base64 encoded string
> directly as well.
> 
> For TSIG the key name doesn't matter a whole lot.. it need not be a zone
> name for example, you just have to use the name in a consistent manor in
> the BIND named.conf file (in the grant lines) and in the key config
> files (i.e. the output from tsig-keygen).
> 
> 
> 
> -- 
> Brad Spencer - brad%anduin.eldar.org@localhost - KC8VKS - http://anduin.eldar.org
>

Follow-Ups:
- Re: Changes to named between 7.0 and 9.2?
  - From: Brad Spencer
- Re: Changes to named between 7.0 and 9.2?
  - From: Steve Blinkhorn

References:
- Re: Changes to named between 7.0 and 9.2?
  - From: Brad Spencer

Prev by Date: Re: Changes to named between 7.0 and 9.2?
Next by Date: Re: Changes to named between 7.0 and 9.2?
Previous by Thread: Re: Changes to named between 7.0 and 9.2?
Next by Thread: Re: Changes to named between 7.0 and 9.2?
Indexes:

Home | Main Index | Thread Index | Old Index