generating TSIG keys with 'dnssec-keygen', get "error reading key file ... bad key type"?

Evan Hunt each at
Wed Apr 20 00:19:30 UTC 2016

> Sure that's what I was doing anyway.
> To be clean, I'm not saying it's bad.
> It's returning the "bad key type" .
> I'm just trying to understand what the problem is.

I'm sorry, I hadn't read your initial message clearly enough.

The "bad key type" message is a bug; it's been there for a while
but I never noticed it, probably because I never ran dnssec-keygen
twice in a row for the same name before.  It's cosmetic and harmless,
but I'll open a ticket to fix it.  I may not get to it very soon,

What's happening is dnssec-keygen is looking for an existing
key whose keytag collides with the one just generated; it finds
a key file from the first time you ran dnssec-keygen, opens it,
and then complains because it contains type KEY instead of type
DNSKEY.  KEY is in fact what *should* be there, but the collision-
checking function is expectingly DNSKEY, and so it complains.

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-users mailing list