Prev-20 Home Next-20 13 msg Managing an Internet outage 2 msg WPAD / PAC woes dnssec-keygen: a key with algorithm 'HMAC-MD5' ... \ blrmaani (9 May 2008) . \ Chris Buxton (9 May 2008) . \ Mark Andrews (10 May 2008) . \ blrmaani (11 May 2008) . \ blrmaani (11 May 2008) 4 msg Resolution Check 3 msg BIND can't resolve with unreachable second NS 10 msg special features 2 msg Modifying BIND to provide requesting IP address... 3 msg Setting up my MX's records to redirect mail fro... 9 msg Multiple SOA records? 6 msg Bind and OpenLDAP 3 msg bind dlz : using only Mysql 8 msg Suggestions for coping with this issue 7 msg Questions about Bind and AD dns integration 14 msg Overriding MX records to internal gateways 3 msg Bind + DKIM (ran out of space) 2 msg time set to UTC 1 msg Split horizon with forwarding 8 msg Are failures cached? 2 msg catch-all 2 msg Problems Configuring Bind on Windows Server 2003 Prev-20 Home Next-20

Prev-Msg Prev-Thread Bind-users May-2008 Next-Thread Next-Msg Subject: Re: dnssec-keygen: a key with algorithm 'HMAC-MD5' cannot be a zone key Group: Bind-users From: blrmaani Date: 11 May 2008 I checked the source code for dnssec-keygen.c ( Bind 9.2.9 and BIND 9.3.x ) and found out that the code now checks for the options as follows: <extract from diff BIND 9.3.x and BIND 9.2.9 follows...> ... 308,312d299 < if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE && < (alg == DNS_KEYALG_DH || alg == DST_ALG_HMACMD5)) < fatal("a key with algorithm '%s' cannot be a zone key", < algname); < This check wasn't in dnssec-keygen tool supplied with BIND 9.2.x. Not sure if there is a tracking BIND bugID for this fix. cheers Blr On May 9, 8:13 pm, Mark Andrews <Mark_Andr...> wrote: > > I used to successfully generate keys when I have BIND 9.2 installed on > > my host using the following > > commandline > > > # dnssec-keygen -a HMAC-MD5 -b 128 -n ZONE mykey-otherkey > > > I upgraded my host to with BIND 9.3 and used the same command line > > above to get the following > > error: > > > # dnssec-keygen -a HMAC-MD5 -b 128 -n ZONE mykey-otherkey > > > dnssec-keygen: a key with algorithm 'HMAC-MD5' cannot be a zone key > > > What exactly changed? > > -n ZONE sets appropriate KEY/DNSKEY flags. > > HMAC-* and DH keys are not zone keys. > > > What is the alternative? > > -n HOST > > > If I use HOST instead of ZONE what impact will it have on the > > generated keys? > > none. > > > I can't downgrade to BIND 9.2 just to make the above work. Also I > > can't have BIND 9.2 and BIND 9.3 both > > on my host. > > > All my script may require change. But please let me know the side > > effect? > > > thanks > > Blr > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: Mark_Andr... Prev-Msg Prev-Thread Bind-users May-2008 Next-Thread Next-Msg

© 2004-2008 readlist.com