Format of 'dig -k' "TSIG key file"?
Joseph S D Yao
jsdy at tux.org
Thu Jul 30 21:40:54 UTC 2009
I assume someone can answer this; but Google has not been able to be my
friend on this one.
In dig(1), the '-k' option is said to require a "TSIG key file" as an
option. I have a TSIG file with a comment header and the following:
key mynet. { algorithm hmac-md5; secret "Ain/tGonnaTellNoWay=="; };
[OK, so I changed the secret! and flattened it to one line.]
Running
dig -k mynet.key axfr example.zone @other.example.zone
gives me,
Couldn't read key from mynet.key: label too long
///////////////////////////////////////////////////////////////////////
// Hmmm. The first line of the comment is 71 characters (like this),
// and it must not like the comment.
///////////////////////////////////////////////////////////////////////
Removing the comment header gives me,
Couldn't read key from mynet.key: unexpected token
OK. Maybe 'dig' wants a KEY resource record file that looks like it
came out of 'dnssec-keygen'. I changed it to:
mynet. IN KEY 512 3 157 Ain/tGonnaTellNoWay==
and the same command line, on a perfectly readable file, says:
Couldn't read key from mynet.key: file not found
What does work is:
dig -y mynet.:Ain/tGonnaTellNoWay== axfr example.zone @other.example.zone
but I really, really find this not altogether pleasant.
Plus, I'm curious to know what 'dig -k' really wants to see.
Possibly irrelevant, but the real key is 88 characters long (including
'=' pads). It was sent me by the owners of the other.example.zone name
server.
Thanks in advance!
--
/*********************************************************************\
**
** Joe Yao jsdy at tux.org - Joseph S. D. Yao
**
\*********************************************************************/
More information about the bind-users
mailing list