dnssec-keygen: a key with algorithm 'HMAC-MD5' cannot be a zone key

Chris Buxton cbuxton at menandmice.com
Fri May 9 23:27:20 UTC 2008

A zone key is a DNSSEC key. A host key is a TSIG key. Based on your  
keyname, I'm going to guess you're aiming for a TSIG key here - if I'm  
not mistaken, a DNSSEC key must have the same name as the zone it will  
be used to sign.

In which case, it sounds like previous versions of dnssec-keygen were  
just silently switching to host keys on your behalf. In which case,  
there should be no downside at all to fixing your scripts.

What type of output files are you expecting from this command? Two  
files containing the same secret, or a "Kname.+nnn.+nnnnn.private"  
file that contains exponents and primes and such? If you're looking  
for the same secret in both files, then you're really looking for a  
host key.

Chris Buxton
Professional Services
Men & Mice

On May 9, 2008, at 4:02 PM, blrmaani wrote:

> I used to successfully generate keys when I have BIND 9.2 installed on
> my host using the following
> commandline
> # dnssec-keygen -a HMAC-MD5 -b 128 -n ZONE mykey-otherkey
> I upgraded my host to with BIND 9.3 and used the same command line
> above to get the following
> error:
> # dnssec-keygen -a HMAC-MD5 -b 128 -n ZONE mykey-otherkey
> dnssec-keygen: a key with algorithm 'HMAC-MD5' cannot be a zone key
> What exactly changed? What is the alternative? If I use HOST instead
> of ZONE what impact will it
> have on the generated keys?
> I can't downgrade to BIND 9.2 just to make the above work. Also I
> can't have BIND 9.2 and BIND 9.3 both
> on my host.
> All my script may require change. But please let me know the side
> effect?
> thanks
> Blr

More information about the bind-users mailing list