Hi Georg,

Knot utilities version 2.x no longer support dnssec-keygen file format. You have to
store the key in a file in the same form as the program argument:
hmac-sha256:example.com:pS6KKh16VWC07Am4qRUK2g4zUvQ9nM0wb3aqHLhVq3w=

Btw, you can generate TSIG keys via keymgr:
$ keymgr tsig generate example.com

Regards,
Daniel

On 07/07/2016 03:19 PM, georg@riseup.net wrote:
tl;dr: I've searched the Internets a lot these past days, but weren't
able to find a way to make kdig and knsupdate work with keys. How is
this handled?

Hello knot people,

I've got a problem with kdig and knsupdate, specifically using the -k
parameter.

I'm using:
- Debian 8.5
- dnssec-tools 2.2-2 (out of stretch)
- knot-dnsutils 2.2.0-2~bpo80+1 (out of j-bp)
- dnsutils 1:9.9.5.dfsg-9+deb8u6 (out of jessie)

I'm creating the key with:
# dnssec-keygen -a HMAC-MD5 -b 256 -n HOST -C host.example.com

which gives:
# cat Khost.example.com.+157+11483.*
host.example.com. IN KEY 512 3 157
42eRdcSUtT2opnOPVaGY9nEPsryde7snDaKLOPSjI9I=
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: 42eRdcSUtT2opnOPVaGY9nEPsryde7snDaKLOPSjI9I=
Bits: AAA=

Doing then:
# knsupdate -d -k Khost.example.com.+157+11483.

which gives:
;; ERROR: failed to parse keyfile 'Khost.example.com.+157+11483.'
;; DEBUG: srv_info_free: null parameter

I've found [1], and indeed, I'm running into the mentioned error if
using knot-dnsutils 1.6.0-1 out of jessie. Besides this, I wasn't able
to find anything useful.

But, doing this:
# knsupdate -y hmac-md5:host.example.com:42eRdcSUtT2opnOPVaGY9nEPsryde7snDaKLOPSjI9I=

works, the same as nsupdate does:
# nsupdate -k Khost.example.com.+157+11483.

Could someone shed some light on what I'm doing wrong?
Any help appreciated...

Thanks in advance and for your work on knot!
All the best,
Georg


[1] https://lists.nic.cz/pipermail/knot-dns-users/2015-February/000579.html


_______________________________________________
knot-dns-users mailing list
knot-dns-users@lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users