generating TSIG keys with 'dnssec-keygen', get "error reading key file ... bad key type"?

jasonsu at jasonsu at
Tue Apr 19 21:57:42 UTC 2016

On Tue, Apr 19, 2016, at 02:24 PM, Evan Hunt wrote:
> On Tue, Apr 19, 2016 at 07:40:38AM -0700, jasonsu at wrote:
> > I'm working on generating TSIG keys for use with my bind server.
> I think you'll be happier if you use "tsig-keygen" instead of "dnssec-keygen".

Huh.  Didn't come across that in any of the example I was using :-/

Looks like tsig-keygen is also from bind

	rpm -q --whatprovides /usr/sbin/dnssec-keygen /usr/sbin/tsig-keygen

I'll sure read up and give tsig-keygen a try.

But, why's using dnssec-keygen 'bad' for TSIG ?  Apart from all the online tutes that refer to it, from its manpage

	       dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and
	       RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures) as
	       defined in RFC 2845, or TKEY (Transaction Key) as defined in RFC 2930.

I'd still like to at least understand what the problem is.


More information about the bind-users mailing list