generating TSIG keys with 'dnssec-keygen', get "error reading key file ... bad key type"?

jasonsu at mail-central.com jasonsu at mail-central.com
Tue Apr 19 21:57:42 UTC 2016



On Tue, Apr 19, 2016, at 02:24 PM, Evan Hunt wrote:
> On Tue, Apr 19, 2016 at 07:40:38AM -0700, jasonsu at mail-central.com wrote:
> > I'm working on generating TSIG keys for use with my bind server.
> 
> I think you'll be happier if you use "tsig-keygen" instead of "dnssec-keygen".

Huh.  Didn't come across that in any of the example I was using :-/

Looks like tsig-keygen is also from bind

	rpm -q --whatprovides /usr/sbin/dnssec-keygen /usr/sbin/tsig-keygen
		bind-utils-9.10.3P4-215.1.x86_64
		bind-utils-9.10.3P4-215.1.x86_64

I'll sure read up and give tsig-keygen a try.

But, why's using dnssec-keygen 'bad' for TSIG ?  Apart from all the online tutes that refer to it, from its manpage

	DESCRIPTION
	       dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and
	       RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures) as
	       defined in RFC 2845, or TKEY (Transaction Key) as defined in RFC 2930.

I'd still like to at least understand what the problem is.

Jason


More information about the bind-users mailing list