generating TSIG keys with 'dnssec-keygen', get "error reading key file ... bad key type"?

Evan Hunt each at
Tue Apr 19 23:25:07 UTC 2016

On Tue, Apr 19, 2016 at 02:57:42PM -0700, jasonsu at wrote:
> Looks like tsig-keygen is also from bind
> 	rpm -q --whatprovides /usr/sbin/dnssec-keygen /usr/sbin/tsig-keygen
> 		bind-utils-9.10.3P4-215.1.x86_64
> 		bind-utils-9.10.3P4-215.1.x86_64
> I'll sure read up and give tsig-keygen a try.
> But, why's using dnssec-keygen 'bad' for TSIG ?  Apart from all the
> online tutes that refer to it, from its manpage

It's not "bad", dnssec-keygen can generate TSIG keys fine, it's just that
it's cumbersome to remember all the options, and the keys are generated in
a format that isn't directly useful.

    $ dnssec-keygen -a hmac-sha256 -b 256 -n host
    $ cat IN KEY 512 3 163 n7P55owwAgF5Ky9pts1jvGRtPoRy5tLl2RwAzRnyQvI=

To make this useful in named.conf, you have to cut and paste, thus:

    key "" {
        algorithm hmac-sha256;
        secret "n7P55owwAgF5Ky9pts1jvGRtPoRy5tLl2RwAzRnyQvI=";

...whereas that's exactly the format you'd get by simply typing

(The name "tsig-keygen" was introduced in BIND 9.10; prior to that,
the tool was called "ddns-confgen", and it did essentially the same
thing as it does now, but with some extra comments in the output.)

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-users mailing list