dnssec-keygen: a key with algorithm 'HMAC-MD5' cannot be a zone key
Chris Buxton
cbuxton at menandmice.com
Fri May 9 23:27:20 UTC 2008
A zone key is a DNSSEC key. A host key is a TSIG key. Based on your
keyname, I'm going to guess you're aiming for a TSIG key here - if I'm
not mistaken, a DNSSEC key must have the same name as the zone it will
be used to sign.
In which case, it sounds like previous versions of dnssec-keygen were
just silently switching to host keys on your behalf. In which case,
there should be no downside at all to fixing your scripts.
What type of output files are you expecting from this command? Two
files containing the same secret, or a "Kname.+nnn.+nnnnn.private"
file that contains exponents and primes and such? If you're looking
for the same secret in both files, then you're really looking for a
host key.
Chris Buxton
Professional Services
Men & Mice
On May 9, 2008, at 4:02 PM, blrmaani wrote:
> I used to successfully generate keys when I have BIND 9.2 installed on
> my host using the following
> commandline
>
> # dnssec-keygen -a HMAC-MD5 -b 128 -n ZONE mykey-otherkey
>
> I upgraded my host to with BIND 9.3 and used the same command line
> above to get the following
> error:
>
> # dnssec-keygen -a HMAC-MD5 -b 128 -n ZONE mykey-otherkey
>
> dnssec-keygen: a key with algorithm 'HMAC-MD5' cannot be a zone key
>
> What exactly changed? What is the alternative? If I use HOST instead
> of ZONE what impact will it
> have on the generated keys?
>
> I can't downgrade to BIND 9.2 just to make the above work. Also I
> can't have BIND 9.2 and BIND 9.3 both
> on my host.
>
> All my script may require change. But please let me know the side
> effect?
>
> thanks
> Blr
>
More information about the bind-users
mailing list