generating TSIG keys with 'dnssec-keygen', get "error reading key file ... bad key type"?
jasonsu at mail-central.com
jasonsu at mail-central.com
Tue Apr 19 21:57:42 UTC 2016
On Tue, Apr 19, 2016, at 02:24 PM, Evan Hunt wrote:
> On Tue, Apr 19, 2016 at 07:40:38AM -0700, jasonsu at mail-central.com wrote:
> > I'm working on generating TSIG keys for use with my bind server.
>
> I think you'll be happier if you use "tsig-keygen" instead of "dnssec-keygen".
Huh. Didn't come across that in any of the example I was using :-/
Looks like tsig-keygen is also from bind
rpm -q --whatprovides /usr/sbin/dnssec-keygen /usr/sbin/tsig-keygen
bind-utils-9.10.3P4-215.1.x86_64
bind-utils-9.10.3P4-215.1.x86_64
I'll sure read up and give tsig-keygen a try.
But, why's using dnssec-keygen 'bad' for TSIG ? Apart from all the online tutes that refer to it, from its manpage
DESCRIPTION
dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and
RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures) as
defined in RFC 2845, or TKEY (Transaction Key) as defined in RFC 2930.
I'd still like to at least understand what the problem is.
Jason
More information about the bind-users
mailing list