On Tue, Apr 19, 2016 at 02:57:42PM -0700, jaso...@mail-central.com wrote:
> Looks like tsig-keygen is also from bind
> 
>       rpm -q --whatprovides /usr/sbin/dnssec-keygen /usr/sbin/tsig-keygen
>               bind-utils-9.10.3P4-215.1.x86_64
>               bind-utils-9.10.3P4-215.1.x86_64
> 
> I'll sure read up and give tsig-keygen a try.
> 
> But, why's using dnssec-keygen 'bad' for TSIG ?  Apart from all the
> online tutes that refer to it, from its manpage

It's not "bad", dnssec-keygen can generate TSIG keys fine, it's just that
it's cumbersome to remember all the options, and the keys are generated in
a format that isn't directly useful.

    $ dnssec-keygen -a hmac-sha256 -b 256 -n host example.com
    Kexample.com.+163+04122
    $ cat Kexample.com.+163+04122.key
    example.com. IN KEY 512 3 163 n7P55owwAgF5Ky9pts1jvGRtPoRy5tLl2RwAzRnyQvI=

To make this useful in named.conf, you have to cut and paste, thus:

    key "example.com" {
        algorithm hmac-sha256;
        secret "n7P55owwAgF5Ky9pts1jvGRtPoRy5tLl2RwAzRnyQvI=";
    };

...whereas that's exactly the format you'd get by simply typing
"tsig-keygen example.com".

(The name "tsig-keygen" was introduced in BIND 9.10; prior to that,
the tool was called "ddns-confgen", and it did essentially the same
thing as it does now, but with some extra comments in the output.)

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to