dnssec-keygen: a key with algorithm 'HMAC-MD5' cannot be a zone key
blrmaani
blrmaani at gmail.com
Sun May 11 16:09:50 UTC 2008
I checked the source code for dnssec-keygen.c ( Bind 9.2.9 and BIND
9.3.x ) and found out that
the code now checks for the options as follows:
<extract from diff BIND 9.3.x and BIND 9.2.9 follows...>
...
308,312d299
< if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
< (alg == DNS_KEYALG_DH || alg == DST_ALG_HMACMD5))
< fatal("a key with algorithm '%s' cannot be a zone
key",
< algname);
<
This check wasn't in dnssec-keygen tool supplied with BIND 9.2.x. Not
sure if there is a tracking
BIND bugID for this fix.
cheers
Blr
On May 9, 8:13 pm, Mark Andrews <Mark_Andr... at isc.org> wrote:
> > I used to successfully generate keys when I have BIND 9.2 installed on
> > my host using the following
> > commandline
>
> > # dnssec-keygen -a HMAC-MD5 -b 128 -n ZONE mykey-otherkey
>
> > I upgraded my host to with BIND 9.3 and used the same command line
> > above to get the following
> > error:
>
> > # dnssec-keygen -a HMAC-MD5 -b 128 -n ZONE mykey-otherkey
>
> > dnssec-keygen: a key with algorithm 'HMAC-MD5' cannot be a zone key
>
> > What exactly changed?
>
> -n ZONE sets appropriate KEY/DNSKEY flags.
>
> HMAC-* and DH keys are not zone keys.
>
> > What is the alternative?
>
> -n HOST
>
> > If I use HOST instead of ZONE what impact will it have on the
> > generated keys?
>
> none.
>
> > I can't downgrade to BIND 9.2 just to make the above work. Also I
> > can't have BIND 9.2 and BIND 9.3 both
> > on my host.
>
> > All my script may require change. But please let me know the side
> > effect?
>
> > thanks
> > Blr
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_Andr... at isc.org
More information about the bind-users
mailing list