Panic Time! Key Generation Question
Torinthiel
torinthiel at data.pl
Wed Apr 27 06:09:34 UTC 2011
On 04/27/11 07:52, Martin McCormick wrote:
> I changed our tsig key and broke the world. Actually, the DNS's
> are happy. DHCP appears to be happy, but I am generating bad
> keys.
>
> I wrote a script as follows:
>
> #! /bin/sh
> /usr/local/sbin/dnssec-keygen -a hmac-md5 -b 512 -n HOST keyname
>
> It produced a beautiful-looking key that bind was happy with in
> named.conf. Rndc worked after changing it there so I installed
> it in our production DNS's.
>
> Then the fun started. I put it in dhcpd and it broke
> because there was at least one blank in the string.
>
> After googling a bit, I used all after the blank. This
> made bind happy, still and dhcp worked but the original key no
> longer works so we can't do any manual dynamic updates until I
> install a key that actually works.
>
> Everything I read says to generate the key in pretty
> much this manner so how can I get one that works everywhere
> without white spaces that will blow up dhcpd?
>
> I guess I was lucky before that there wre no spaces in the
> previous key.
Try deleting the space. Just this. dnssec-keygen inserts space for
readability purposes only. If you still have original *.key and
*.private files, you can check it yourself, that the Key field in
*private contains exactly the same as *.key, minus the space.
Torinthiel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110427/cf0bec7a/attachment.bin>
More information about the bind-users
mailing list