DNSSEC algorithms
Josef Moellers
jmoellers at suse.de
Thu Jul 8 14:17:37 UTC 2021
Hello Tony,
On 08.07.21 15:46, Tony Finch wrote:
> Josef Moellers <jmoellers at suse.de> wrote:
>>
>> I'm a bit confused: genDDNSkey (or dnssec-keygen for that matter)
>> apparently generates keys using "rsasha512" as the algorithm but bind
>> and its utilities do not know this, they *only* know hmac-* algorithms.
>
> I think genDDNSkey is a SuSE-specific thing?
Yes, it appears so. I had already started wondering why it was in a
special archive "vendor-files" and I could not find it elsewhere. I even
downloaded ISC's dhcp code and built it, but I still couldn't find it.
Then I noticed a small on https://inai.de/linux/adm_ddns
"Peter Poeml from SUSE wrote a small HOWTO and a DDNS key frontend shell
script"
I guess I'm getting old ... sigh.
> There have been some changes in this area in BIND: dnssec-keygen used to
> be a bit awkward because it would generate DNSKEY public/private pairs,
> and also TSIG secrets, which are quite different things that are used in
> very different ways.
>
> Since BIND 9.9, it has been easier to use tsig-keygen and ddns-confgen to
> generare TSIG keys. In 9.13, TSIG support was removed from dnssec-keygen,
> so now it is just for DNSKEY (and KEY for obscure cases).
As ever: a clear and good description.
Thanks again, today you earned some more brownie points,
Josef
--
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nürnberg
Germany
(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer
More information about the bind-workers
mailing list