Re: Changes to named between 7.0 and 9.2?

To: steve%prd.co.uk@localhost (Steve Blinkhorn)
Subject: Re: Changes to named between 7.0 and 9.2?
From: steve%prd.co.uk@localhost (Steve Blinkhorn)
Date: Wed, 11 May 2022 15:17:51 +0000 (UTC)

And just to confirm, adding a symlink named tsig-keygen to
/usr/sbin/ddns-confgen meeans that nsupdate now works from my 9.2
installations.  What should it be, a hard link? a separaste copy?  Amd
is there anything else I might be missing of this kind in 9.2?

--
Steve Blinkhorn <steve%prd.co.uk@localhost>

I wrote:
> 
> Hi Brad,
> 
> Well I think I know why there's an error now.  It looks as though on
> the 9.2 installations dnssec-keygen is the more recent version,
> without the HMAC-MD5 algorith, whereas there is no tsig-keygen
> command/executable/manpage.
> 
> Should it be somewhere other than in the base.tar.xz set?
> 
> --
> Steve Blinkhorn <steve%prd.co.uk@localhost>
> 
> You wrote:
> > 
> > steve%prd.co.uk@localhost (Steve Blinkhorn) writes:
> > 
> > > This is getting ever more bizarre  - my 9.2 installations both failin xactly the same
> > > way, but /etc/openssl in one case is empty, in the other has lots going on.
> > >
> > > Do you - or does anyone else - know how to produce a TSIG that can be inspected,
> > > base64-decoded, and compared?  The related manpages are so dense, I can't find a way to
> > > get any purchase on the problem.
> > >
> > > I'm very gratefulto you for sticking with this.   My wildcard certificate runs out
> > > tomorrow :-(
> > >
> > > --
> > > Steve Blinkhorn <steve%prd.co.uk@localhost>
> > 
> > 
> > Depending on which version of BIND you have you will use dnssec-keygen
> > or tsig-keygen.
> > 
> > cd to a clean temporary directory and do something like this:
> > 
> > dnssec-keygen -a HMAC-MD5 -b 64 -n HOST test.com
> > 
> > You will get two files..  either one has the key in it, already base64
> > encoded.  It is this base64 encoded key that you provide to nsupdate
> > directly.
> > 
> > Here is a page about using dnssec-keygen and creating keys using it to
> > secure updates:
> > 
> > https://sort.veritas.com/public/documents/vie/7.1/aix/productguides/html/vcs_bundled_agents/ch03s09s06s06.htm
> > 
> > 
> > Using dnssec-keygen was always a bit of an abuse of the tool, so
> > tsig-keygen came out in later versions.  It works in a simular manor:
> > 
> > % tsig-keygen -a hmac-md5
> > key "tsig-key" {
> >         algorithm hmac-md5;
> >         secret "fvzwN5YnAQ6WyWJt2rmXFw==";
> > };
> > 
> > The secret, just like dnssec-keygen, is already base64 encoded and
> > should be used directly in nsupdate that way.  With the python certbot
> > scripts for Let's Encrypt, you also use this base64 encoded string
> > directly as well.
> > 
> > For TSIG the key name doesn't matter a whole lot.. it need not be a zone
> > name for example, you just have to use the name in a consistent manor in
> > the BIND named.conf file (in the grant lines) and in the key config
> > files (i.e. the output from tsig-keygen).
> > 
> > 
> > 
> > -- 
> > Brad Spencer - brad%anduin.eldar.org@localhost - KC8VKS - http://anduin.eldar.org
> > 
> 
>

References:
- Re: Changes to named between 7.0 and 9.2?
  - From: Steve Blinkhorn

Prev by Date: Re: Changes to named between 7.0 and 9.2?
Next by Date: Re: Changes to named between 7.0 and 9.2?
Previous by Thread: Re: Changes to named between 7.0 and 9.2?
Next by Thread: Re: Changes to named between 7.0 and 9.2?
Indexes:

Home | Main Index | Thread Index | Old Index