In message <20090730174054.h23...@gwyn.tux.org>, Joseph S D Yao writes:
> I assume someone can answer this; but Google has not been able to be my
> friend on this one.
>
> In dig(1), the '-k' option is said to require a "TSIG key file" as an
> option. I have a TSIG file with a comment header and the following:
>
> key mynet. { algorithm hmac-md5; secret "Ain/tGonnaTellNoWay=="; };
>
> [OK, so I changed the secret! and flattened it to one line.]
>
> Running
> dig -k mynet.key axfr example.zone @other.example.zone
> gives me,
> Couldn't read key from mynet.key: label too long
> ///////////////////////////////////////////////////////////////////////
> // Hmmm. The first line of the comment is 71 characters (like this),
> // and it must not like the comment.
> ///////////////////////////////////////////////////////////////////////
>
> Removing the comment header gives me,
> Couldn't read key from mynet.key: unexpected token
>
> OK. Maybe 'dig' wants a KEY resource record file that looks like it
> came out of 'dnssec-keygen'. I changed it to:
> mynet. IN KEY 512 3 157 Ain/tGonnaTellNoWay==
> and the same command line, on a perfectly readable file, says:
> Couldn't read key from mynet.key: file not found
>
> What does work is:
> dig -y mynet.:Ain/tGonnaTellNoWay== axfr example.zone @other.example.zo
> ne
> but I really, really find this not altogether pleasant.
>
> Plus, I'm curious to know what 'dig -k' really wants to see.
A keyfile as generated by "dnssec-keygen -a HMAC-*".
HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512.
e.g.
% /usr/local/sbin/dnssec-keygen -a HMAC-SHA512 -n host -b 512 foo
Kfoo.+165+63966
% /usr/local/bin/nsupdate -k Kfoo.+165+63966
> quit
% more Kfoo.+165+63966.private
Private-key-format: v1.3
Algorithm: 165 (HMAC_SHA512)
Key:
7f+EK0fXRFuOb71yYWuTSxo8CFyTuDiv09MAxaJ1kz4RPgJpb1sOmoj1DVgld3YO9N6zTGirqMKjnw45M8JZUQ==
Bits: AAA=
Created: 20090731052825
% more Kfoo.+165+63966.key
foo. IN KEY 512 3 165 7f+EK0fXRFuOb71yYWuTSxo8CFyTuDiv09MAxaJ1kz4RPgJpb1sOmoj1
DVgld3YO9N6zTGirqMKjnw45M8JZUQ==
%
> Possibly irrelevant, but the real key is 88 characters long (including
> '=' pads). It was sent me by the owners of the other.example.zone name
> server.
> C-SHA512
> Thanks in advance!
>
>
--
> /*********************************************************************\
> **
> ** Joe Yao j...@tux.org - Joseph S. D. Yao
> **
> \*********************************************************************/
> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
