Format of 'dig -k' "TSIG key file"?

Mark Andrews marka at isc.org
Fri Jul 31 05:32:48 UTC 2009


In message <20090730174054.H23872 at gwyn.tux.org>, Joseph S D Yao writes:
> I assume someone can answer this; but Google has not been able to be my
> friend on this one.
> 
> In dig(1), the '-k' option is said to require a "TSIG key file" as an
> option.  I have a TSIG file with a comment header and the following:
> 
> key mynet. { algorithm hmac-md5; secret "Ain/tGonnaTellNoWay=="; };
> 
> [OK, so I changed the secret! and flattened it to one line.]
> 
> Running
> 	dig -k mynet.key axfr example.zone @other.example.zone
> gives me,
> 	Couldn't read key from mynet.key: label too long
> ///////////////////////////////////////////////////////////////////////
> // Hmmm.  The first line of the comment is 71 characters (like this),
> // and it must not like the comment.
> ///////////////////////////////////////////////////////////////////////
> 
> Removing the comment header gives me,
> 	Couldn't read key from mynet.key: unexpected token
> 
> OK.  Maybe 'dig' wants a KEY resource record file that looks like it
> came out of 'dnssec-keygen'.  I changed it to:
> 	mynet. IN KEY 512 3 157 Ain/tGonnaTellNoWay==
> and the same command line, on a perfectly readable file, says:
> 	Couldn't read key from mynet.key: file not found
> 
> What does work is:
> 	dig -y mynet.:Ain/tGonnaTellNoWay== axfr example.zone @other.example.zo
> ne
> but I really, really find this not altogether pleasant.
> 
> Plus, I'm curious to know what 'dig -k' really wants to see.

A keyfile as generated by "dnssec-keygen -a HMAC-*".

HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512.

e.g.
% /usr/local/sbin/dnssec-keygen -a HMAC-SHA512 -n host -b 512 foo
Kfoo.+165+63966
% /usr/local/bin/nsupdate -k Kfoo.+165+63966
> quit
% more Kfoo.+165+63966.private 
Private-key-format: v1.3
Algorithm: 165 (HMAC_SHA512)
Key: 7f+EK0fXRFuOb71yYWuTSxo8CFyTuDiv09MAxaJ1kz4RPgJpb1sOmoj1DVgld3YO9N6zTGirqMKjnw45M8JZUQ==
Bits: AAA=
Created: 20090731052825
% more Kfoo.+165+63966.key 
foo. IN KEY 512 3 165 7f+EK0fXRFuOb71yYWuTSxo8CFyTuDiv09MAxaJ1kz4RPgJpb1sOmoj1 DVgld3YO9N6zTGirqMKjnw45M8JZUQ==
%

> Possibly irrelevant, but the real key is 88 characters long (including
> '=' pads).  It was sent me by the owners of the other.example.zone name
> server.
> C-SHA512
> Thanks in advance!
> 
> 
-- 
> /*********************************************************************\
> **
> ** Joe Yao				jsdy at tux.org - Joseph S. D. Yao
> **
> \*********************************************************************/
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list