BIND 9.11.2, named-checkconf barfs on cookie-secret

Ingeborg Hellemo ingeborg.hellemo at
Wed Jan 3 12:48:28 UTC 2018

I want to upgrade to BIND 9.11.2

I have an anycast cluster and want to pre-set the server cookie string with 
option cookie-secret.

My problem is that named-checkconf complains over the length of the 
cookie-secret regardless how I set  cookie-secret and cookie-algorithm:

options {
        cookie-secret "b603f51bdd19cd343da445d207b728e1";

~/#named-checkconf /etc/namedb/named.conf
/etc/namedb/named.conf:33: SHA1 cookie-secret must be on 160 bits
/etc/namedb/named.conf:33: SHA256 cookie-secret must be on 256 bits

If I change to

options {
        cookie-algorithm sha256;
        cookie-secret "f974e9f8435c7b3da20940e3b073b1800b8d3637425ac743f21a3b57

~/#named-checkconf /etc/namedb/named.conf
/etc/namedb/named.conf:34: AES cookie-secret must be on 128 bits
/etc/namedb/named.conf:34: SHA1 cookie-secret must be on 160 bits

~/#named-checkconf -v

What am I missing?  Bug in named-checkconf?


Ingeborg Østrem Hellemo  --  ingeborg.hellemo at
Dep. of Information Technology  ---  Univ. of Tromsø

More information about the bind-users mailing list