Format of 'dig -k' "TSIG key file"?
Mark Andrews
marka at isc.org
Fri Jul 31 05:32:48 UTC 2009
In message <20090730174054.H23872 at gwyn.tux.org>, Joseph S D Yao writes:
> I assume someone can answer this; but Google has not been able to be my
> friend on this one.
>
> In dig(1), the '-k' option is said to require a "TSIG key file" as an
> option. I have a TSIG file with a comment header and the following:
>
> key mynet. { algorithm hmac-md5; secret "Ain/tGonnaTellNoWay=="; };
>
> [OK, so I changed the secret! and flattened it to one line.]
>
> Running
> dig -k mynet.key axfr example.zone @other.example.zone
> gives me,
> Couldn't read key from mynet.key: label too long
> ///////////////////////////////////////////////////////////////////////
> // Hmmm. The first line of the comment is 71 characters (like this),
> // and it must not like the comment.
> ///////////////////////////////////////////////////////////////////////
>
> Removing the comment header gives me,
> Couldn't read key from mynet.key: unexpected token
>
> OK. Maybe 'dig' wants a KEY resource record file that looks like it
> came out of 'dnssec-keygen'. I changed it to:
> mynet. IN KEY 512 3 157 Ain/tGonnaTellNoWay==
> and the same command line, on a perfectly readable file, says:
> Couldn't read key from mynet.key: file not found
>
> What does work is:
> dig -y mynet.:Ain/tGonnaTellNoWay== axfr example.zone @other.example.zo
> ne
> but I really, really find this not altogether pleasant.
>
> Plus, I'm curious to know what 'dig -k' really wants to see.
A keyfile as generated by "dnssec-keygen -a HMAC-*".
HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512.
e.g.
% /usr/local/sbin/dnssec-keygen -a HMAC-SHA512 -n host -b 512 foo
Kfoo.+165+63966
% /usr/local/bin/nsupdate -k Kfoo.+165+63966
> quit
% more Kfoo.+165+63966.private
Private-key-format: v1.3
Algorithm: 165 (HMAC_SHA512)
Key: 7f+EK0fXRFuOb71yYWuTSxo8CFyTuDiv09MAxaJ1kz4RPgJpb1sOmoj1DVgld3YO9N6zTGirqMKjnw45M8JZUQ==
Bits: AAA=
Created: 20090731052825
% more Kfoo.+165+63966.key
foo. IN KEY 512 3 165 7f+EK0fXRFuOb71yYWuTSxo8CFyTuDiv09MAxaJ1kz4RPgJpb1sOmoj1 DVgld3YO9N6zTGirqMKjnw45M8JZUQ==
%
> Possibly irrelevant, but the real key is 88 characters long (including
> '=' pads). It was sent me by the owners of the other.example.zone name
> server.
> C-SHA512
> Thanks in advance!
>
>
--
> /*********************************************************************\
> **
> ** Joe Yao jsdy at tux.org - Joseph S. D. Yao
> **
> \*********************************************************************/
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list