Format of 'dig -k' "TSIG key file"?

Joseph S D Yao jsdy at
Fri Aug 21 21:52:27 UTC 2009

After some experimenting, here is the whole answer, hinted at by one
response on this mailing list.

On Thu, Jul 30, 2009 at 05:40:54PM -0400, Joseph S D Yao wrote:
> In dig(1), the '-k' option is said to require a "TSIG key file" as an
> option.  I have a TSIG file with a comment header and the following:
> key mynet. { algorithm hmac-md5; secret "Ain/tGonnaTellNoWay=="; };
> Running
> 	dig -k mynet.key axfr
> gives me,
> 	Couldn't read key from mynet.key: label too long
> Removing the comment header gives me,
> 	Couldn't read key from mynet.key: unexpected token
> OK.  Maybe 'dig' wants a KEY resource record file that looks like it
> came out of 'dnssec-keygen'.  I changed it to:
> 	mynet. IN KEY 512 3 157 Ain/tGonnaTellNoWay==
> and the same command line, on a perfectly readable file, says:
> 	Couldn't read key from mynet.key: file not found

It turned out that this latter file was needed, but for some
inexplicable reason perhaps having to do with library routines [I have
not gone chasing down the code], it ALSO wants the "mynet.private" file!
So I created one:
	Private-key-format: v1.2
	Algorithm: 157 (HMAC_MD5)
	Key: Ain/tGonnaTellNoWay==
The hinted-at part that I had to test to find out is that it needed me
to create BOTH files from the "named.conf" include file, even though the
key and algorithm are the same in both.

	dig -k mynet.key axfr

Thanks for all the public and especially the private discussion of this!

** Joe Yao				jsdy at - Joseph S. D. Yao

More information about the bind-users mailing list