<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Oh, please do not forget to generate new my-tsig after sharing
your current with all of us.</p>
<p>Next time please use named-checkconf -px <span
style="white-space: pre-wrap">named.conf.tsigkeys to filter out secrets.</span></p>
<p><span style="white-space: pre-wrap">As Anand already wrote, shared keys are not asymmetric keys generated by dnssec-keygen. That have been split since 9.16 into separate generators focused only on shared keys. Use tsig-keygen or ddns-confgen to create shared keys. dnssec-keygen is now only for generating keys with .private part, which are used in DNSSEC signing only, used in zone files. Usually not for anything related to ACLs, as for example dynamic updates. ddns-confgen is exactly for that.</span></p>
<p><span style="white-space: pre-wrap">Cheers,
Petr
</span></p>
<div class="moz-cite-prefix">On 1/11/24 12:58, trgapp16 via
bind-users wrote:<br>
</div>
<blockquote type="cite" cite="mid:20240111113423.M79668@cdot.in">
<pre class="moz-quote-pre" wrap="">Hello,
Bind version - 9.18.12
-->This is the command I used for generating dnssec-keygen keys -
root@dhcpt: /etc/bind# dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.com
Kexample.com.+013+43215.key
Kexample.com.+013+43215.private
root@dhcpt:/etc/bind# cat Kexample.com.+013+43215.private
Private-key-format: v1.3
Algorithm: 13 (ECDSAP256SHA256)
PrivateKey: ESkrVALONh7Rj4UZVsOy54Y2SIJiY5HYhoQdxJLuWPk=
Created: 20240111045202
Publish: 20240111045202
Activate: 20240111045202
-->With help of the private key i generated one file with name "named.conf.tsigkeys" at
/etc/bind -
root@dhcpt:/etc/bind# cat named.conf.tsigkeys
key "my-tsig" {
algorithm "ECDSAP256SHA256";
secret "ESkrVALONh7Rj4UZVsOy54Y2SIJiY5HYhoQdxJLuWPk=";
};
--> below is the error received when i restart named service
root@dhcpt:/etc/bind# named-checkconf
/etc/bind/named.conf.tsigkeys:2: unknown algorithm 'ECDSAP256SHA256'
Any help is greatly appreciated.
Regards,
Mounika
On Thu, 11 Jan 2024 15:49:18 +1100, Mark Andrews wrote
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Firstly show what you are actually doing. It it too much for you to actually
cut-and-paste what you are doing?
Secondly BIND 9.18 is at 9.18.22. Version 9.18.8 is seriously out of date.
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">On 11 Jan 2024, at 15:21, pvs via bind-users <a class="moz-txt-link-rfc2396E" href="mailto:bind-users@lists.isc.org"><bind-users@lists.isc.org></a> wrote:
Hello,
I'm using ubuntu 22.04 server on which bind 9.18.8 service is running.
I'm trying to generate dnssec-key by using the command "dnssec-keygen -a RSASHA512
</pre>
</blockquote>
</blockquote>
<pre class="moz-quote-pre" wrap="">-b 2048 -n zone example.com"
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">
After doing this, it is generating both public key and private key. When I generate
</pre>
</blockquote>
</blockquote>
<pre class="moz-quote-pre" wrap="">a file with aprivate key in /etc/bind directory, it is throwing error 'unknown
algorithm 'RSASHA512'
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Same error is thrown when tried with other algorithms like ECDSAP256SHA256, RSASHA1,
</pre>
</blockquote>
</blockquote>
<pre class="moz-quote-pre" wrap="">RSASHA256 etc
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Any help is greatly appreciated.
--
Regards,
पं. विष्णु शंकर P. Vishnu Sankar
टीम लीडर Team Leader-Network Operations
सी-डॉट C-DOT
इलैक्ट्रॉनिक्स सिटी फेज़ I Electronics City Phase I
होसूर रोड बेंगलूरु Hosur Road Bengaluru – 560100
फोन Ph 91 80 25119466
------------------------------------------------------
Disclaimer :
This email and any files transmitted with it are confidential and intended solely
</pre>
</blockquote>
</blockquote>
<pre class="moz-quote-pre" wrap="">for the use of the individual or entity to whom they are addressed.
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">If you are not the intended recipient you are notified that disclosing, copying,
</pre>
</blockquote>
</blockquote>
<pre class="moz-quote-pre" wrap="">distributing or taking any action in reliance on the contents of this information is
strictly prohibited.
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">The sender does not accept liability for any errors or omissions in the contents of
</pre>
</blockquote>
</blockquote>
<pre class="moz-quote-pre" wrap="">this message, which arise as a result.
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">--
Visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this
</pre>
</blockquote>
</blockquote>
<pre class="moz-quote-pre" wrap="">list
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">
ISC funds the development of this software with paid support subscriptions. Contact
</pre>
</blockquote>
</blockquote>
<pre class="moz-quote-pre" wrap="">us at <a class="moz-txt-link-freetext" href="https://www.isc.org/contact/">https://www.isc.org/contact/</a> for more information.
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: <a class="moz-txt-link-abbreviated" href="mailto:marka@isc.org">marka@isc.org</a>
--
Visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at <a class="moz-txt-link-freetext" href="https://www.isc.org/contact/">https://www.isc.org/contact/</a> for more information.
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
### Please consider the environment and print this email only if necessary . Go Green
###
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Disclaimer :
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you are not the intended recipient you are notified that disclosing,
copying, distributing or taking any action in reliance on the contents of this
information is strictly prohibited. The sender does not accept liability
for any errors or omissions in the contents of this message, which arise as a
result.
--
Open WebMail Project (<a class="moz-txt-link-freetext" href="http://openwebmail.org">http://openwebmail.org</a>)
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Petr Menšík
Software Engineer, RHEL
Red Hat, <a class="moz-txt-link-freetext" href="https://www.redhat.com/">https://www.redhat.com/</a>
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB</pre>
</body>
</html>