Bind9.2 dnssec-keygen problem in Redhat Linux

Martin McCormick martin at
Sun Mar 13 06:15:09 UTC 2005

	I have set up bind9 on several FreeBSD systems and now, I need
to make it work on a recent-vintage Redhat platform.  It appears to
behave exactly as expected except for one show-stopper of a problem.

	I generated tsig keys with the following command:

/usr/sbin/dnssec-keygen -a hmac-md5 -b 128 -n HOST hostname.domain-keyname

	It generates two perfectly good-looking keys that never work
with the complaint being an invalid signature.

Mar 13 00:21:07.829 client request has invalid signature: tsig verify failure

	I've spent the entire day off and on beating my head on this
one, trying several sets of keys, etc.  What could it be?
The dnssec-keygen command is actually lifted from one I used for years
on FreeBSD to generate keys that worked.  I tried 128 and 512-bit
keys.  By the way, rndc commands do work fine and I tried zone
transfers both from the localhost and a remote host with  exactly the
same negative results which kind of rules out clock problems.

	Thanks for any helpful ideas.

Martin McCormick WB5AGZ  Stillwater, OK 
OSU Information Technology Division Network Operations Group

More information about the bind-users mailing list