Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen
3,015 views
Skip to first unread message
Gaurav Kansal
Mar 3, 2014, 6:22:25 AM3/3/14
to bind-...@lists.isc.org
Dear Team,
I am using RSASHA1 key generation algorithm for generating the KSK and ZSK.
Today, I tried to generate the algorithm using RSASHA512 and HMAC-SHA256 algorithm.
Key generation through RSASHA512 algorithm run successfully but while generating the keys through HMAC-SHA512 algorithm, I am getting the following error –
“dnssec-keygen: fatal: a key with algorithm 'HMAC-SHA512' cannot be a zone key”
I googled it and find a previous discussion on BIND Mailing list that HMAC-* is used for generating keys for Host and not for Zone.
I have doubt in this only. What’s the difference between Zone or Host ?? Is it key generation for one client machine or what ?
I also want to know which algorithm is the best one on security aspects for generating Keys for DNSSEC.
Thanks and Regards,
Gaurav Kansal
Emp Code - 6274
Mob – 9910118448
Intercom – 7331
Have you enabled IPv6 on something today...?
Tony Finch
Mar 3, 2014, 6:57:32 AM3/3/14
to Gaurav Kansal, bind-...@lists.isc.org
Gaurav Kansal <gaurav...@nic.in> wrote:
>
> I have doubt in this only. What's the difference between Zone or Host ??
Zone keys are used for DNSSEC signing zones.
>
> I have doubt in this only. What's the difference between Zone or Host ??
Host keys are used for TSIG transaction authentication, for securing zone
transfers or dynamic updates.
> I also want to know which algorithm is the best one on security aspects for
> generating Keys for DNSSEC.
else. RSASHA256 is fine.
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/
Faeroes: East or southeast 5 to 7. Rough or very rough. Rain. Moderate.
Gaurav Kansal
Mar 6, 2014, 12:40:22 AM3/6/14
to Tony Finch, bind-...@lists.isc.org
HI Tony,
Thanks for help.
I was wondering if HMAC* keys are not used for zone then why the same is displayed when we use "dnssec-keygen -h".
Regards,
Gaurav Kansal
Alan Clegg
Mar 5, 2014, 7:55:29 PM3/5/14
to bind-...@lists.isc.org
On 3/6/14, 12:40 AM, Gaurav Kansal wrote:
> I was wondering if HMAC* keys are not used for zone then why the same is
> displayed when we use "dnssec-keygen -h"
Because dnssec-keygen is used to generate more than just DNSSEC zone keys.
> I was wondering if HMAC* keys are not used for zone then why the same is
> displayed when we use "dnssec-keygen -h"
AlanC
Carsten Strotmann
Mar 6, 2014, 2:55:28 AM3/6/14
to Gaurav Kansal, Tony Finch, bind-...@lists.isc.org
Gaurav Kansal <gaurav...@nic.in> writes:
> I was wondering if HMAC* keys are not used for zone then why the same
> is displayed when we use "dnssec-keygen -h".
the tool "dnssec-keygen" can be used to create both "zone" keys (with
> I was wondering if HMAC* keys are not used for zone then why the same
> is displayed when we use "dnssec-keygen -h".
"-n ZONE") for DNSSEC zone signing, and "host" keys (with "-n HOST") for
TSIG signing of the communication between hosts.
Keys of type "zone" are public/private key pairs
(https://en.wikipedia.org/wiki/Public-key_cryptography), whereas key of
type "host" are symmetric keys
(https://en.wikipedia.org/wiki/Symmetric-key_algorithm).
To add to the confusion, "dnssec-keygen" generates two files when used
with "-n HOST":
shell> dnssec-keygen -a HMAC-MD5 -b 512 -n HOST ns1.example.com
Kns1.example.com.+157+16495
shell> ls -l Kns1.example.com.+157+16495.*
-rw------- 1 cas staff 124 Mar 6 08:48
Kns1.example.com.+157+16495.key
-rw------- 1 cas staff 229 Mar 6 08:48
Kns1.example.com.+157+16495.private
These are symmetric TSIG keys, both files contain the same secret key
(although the filename-extensions migh indicate a public-private key
pair)!
To create a DNSSEC "zone" key, use:
shell> dnssec-keygen -a RSASHA512 -b 2048 -n ZONE example.com
Generating key pair...................+++ ..+++
Kexample.com.+010+18335
shell> ls -l Kexample.com.+010+18335.*
-rw-r--r-- 1 cas staff 607 Mar 6 08:51 Kexample.com.+010+18335.key
-rw------- 1 cas staff 1777 Mar 6 08:51
Kexample.com.+010+18335.private
This time the file with the extension ".key" contains the public key
(DNSKEY) resource record, and the file with the extension ".private"
contains the private key.
I agree that it might be nice to change "dnssec-keygen" to make the tool
more userfriendly. The current state-of-things is because of historic
developments in how DNSSEC came to birth.
-- Carsten
Evan Hunt
Mar 6, 2014, 3:11:15 AM3/6/14
to Carsten Strotmann, Tony Finch, bind-...@lists.isc.org
On Thu, Mar 06, 2014 at 08:55:28AM +0100, Carsten Strotmann wrote:
> I agree that it might be nice to change "dnssec-keygen" to make the tool
> more userfriendly. The current state-of-things is because of historic
> developments in how DNSSEC came to birth.
...and lots of people dealing with dnssec-keygen's user-unfriendliness
> I agree that it might be nice to change "dnssec-keygen" to make the tool
> more userfriendly. The current state-of-things is because of historic
> developments in how DNSSEC came to birth.
by writing shell scripts to run it, which will break if we change its
interface now. A lot of old mistakes have gotten chiseled into stone
by that.
I've long wanted to write a replacement for the zone key functions
of dnssec-keygen (or at least a sensible wrapper), so that DNSSEC
keys could be generated according to a configured policy rather
than command-line alphabet soup.
For generating host keys, I suggest "ddns-confgen" rather than
"dnssec-keygen".
--
Evan Hunt -- ea...@isc.org
Internet Systems Consortium, Inc.
Tony Finch
Mar 6, 2014, 3:53:02 AM3/6/14
to Jason Hellenthal, bind-...@lists.isc.org
Jason Hellenthal <jhell...@dataix.net> wrote:
>
> I recall spending a LOT of time with DNSSEC figuring out all the
> nonsense but like anything else stability and friendliness has to start
> somewhere. And development should not be impeded by adoption of bad
> practices. Fix the root cause not the symptom.
dnssec-keygen actually has quite sane defaults, but unfortunately the man
page is not great at saying which options can be ignored because they are
cruft from the 1990s. It could do with better examples too.
South Utsire, Forties: Southwesterly 5 to 7, perhaps gale 8 later. Moderate or
rough. Rain. Moderate or poor.
>
> I recall spending a LOT of time with DNSSEC figuring out all the
> nonsense but like anything else stability and friendliness has to start
> somewhere. And development should not be impeded by adoption of bad
> practices. Fix the root cause not the symptom.
dnssec-keygen actually has quite sane defaults, but unfortunately the man
page is not great at saying which options can be ignored because they are
cruft from the 1990s. It could do with better examples too.
South Utsire, Forties: Southwesterly 5 to 7, perhaps gale 8 later. Moderate or
rough. Rain. Moderate or poor.
Phil Mayers
Mar 6, 2014, 4:07:06 AM3/6/14
to bind-...@lists.isc.org
On 06/03/14 08:53, Tony Finch wrote:
> Jason Hellenthal <jhell...@dataix.net> wrote:
>>
>> I recall spending a LOT of time with DNSSEC figuring out all the
>> nonsense but like anything else stability and friendliness has to start
>> somewhere. And development should not be impeded by adoption of bad
>> practices. Fix the root cause not the symptom.
>
> dnssec-keygen actually has quite sane defaults, but unfortunately the man
Agreed. The first couple of times you figure the options takes a bit of
> Jason Hellenthal <jhell...@dataix.net> wrote:
>>
>> I recall spending a LOT of time with DNSSEC figuring out all the
>> nonsense but like anything else stability and friendliness has to start
>> somewhere. And development should not be impeded by adoption of bad
>> practices. Fix the root cause not the symptom.
>
> dnssec-keygen actually has quite sane defaults, but unfortunately the man
time, but once you've done that, dnssec-keygen is really quite inoffensive.
Frankly there are a bucketload of Unix tools whose more esoteric
behaviour I've never bothered to memorise; the key is for help and man
pages to be sane. I'm constantly doing "man find"...
Carsten Strotmann
Mar 6, 2014, 5:34:45 AM3/6/14
to Evan Hunt, bind-...@lists.isc.org
Hi Evan,
Evan Hunt <ea...@isc.org> writes:
> On Thu, Mar 06, 2014 at 08:55:28AM +0100, Carsten Strotmann wrote:
>> I agree that it might be nice to change "dnssec-keygen" to make the tool
>> more userfriendly. The current state-of-things is because of historic
>> developments in how DNSSEC came to birth.
>
> ...and lots of people dealing with dnssec-keygen's user-unfriendliness
> by writing shell scripts to run it, which will break if we change its
> interface now. A lot of old mistakes have gotten chiseled into stone
> by that.
there could be a hard-link from a name like "tsig-keygen" to
"dnssec-keygen" which changes the type of key created to "-n HOST". That
would not require any change to the existing interface. Just an idea.
I'm not suggesting to change the existing interface, as it will break
existing stuff.
-- Carsten
Evan Hunt <ea...@isc.org> writes:
> On Thu, Mar 06, 2014 at 08:55:28AM +0100, Carsten Strotmann wrote:
>> I agree that it might be nice to change "dnssec-keygen" to make the tool
>> more userfriendly. The current state-of-things is because of historic
>> developments in how DNSSEC came to birth.
>
> ...and lots of people dealing with dnssec-keygen's user-unfriendliness
> by writing shell scripts to run it, which will break if we change its
> interface now. A lot of old mistakes have gotten chiseled into stone
> by that.
"dnssec-keygen" which changes the type of key created to "-n HOST". That
would not require any change to the existing interface. Just an idea.
I'm not suggesting to change the existing interface, as it will break
existing stuff.
-- Carsten
Evan Hunt
Mar 6, 2014, 11:38:23 AM3/6/14
to Carsten Strotmann, bind-...@lists.isc.org
> there could be a hard-link from a name like "tsig-keygen" to
> "dnssec-keygen" which changes the type of key created to "-n HOST". That
> would not require any change to the existing interface. Just an idea.
Thanks, Carsten. I had actually had the same thought after writing my post
> "dnssec-keygen" which changes the type of key created to "-n HOST". That
> would not require any change to the existing interface. Just an idea.
last night, though I was thinking of making it a hard link to ddns-confgen
rather than dnssec-keygen.
(Question: is "ddns-confgen -q" an appropriate and useful format?
I've never understood why anybody would want TSIG keys in .key/.private
form, but there may be a use case for it that I've overlooked.)
Gaurav Kansal
Mar 6, 2014, 12:39:07 PM3/6/14
to Evan Hunt, Carsten Strotmann, bind-...@lists.isc.org
At the time of posting this question, I didn’t think that this thread will cause this much of discussion. J
Thanks to all for nice explanation and help.
Regards,
Gaurav Kansal
-----Original Message-----
From: bind-users-bounces+gaurav.kansal=nic...@lists.isc.org [mailto:bind-users-bounces+gaurav.kansal=nic...@lists.isc.org] On Behalf Of Evan Hunt
Sent: Thursday, March 6, 2014 10:08 PM
To: Carsten Strotmann
Cc: bind-...@lists.isc.org
Subject: Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen
> there could be a hard-link from a name like "tsig-keygen" to
> "dnssec-keygen" which changes the type of key created to "-n HOST".
> That would not require any change to the existing interface. Just an idea.
Thanks, Carsten. I had actually had the same thought after writing my post last night, though I was thinking of making it a hard link to ddns-confgen rather than dnssec-keygen.
(Question: is "ddns-confgen -q" an appropriate and useful format?
I've never understood why anybody would want TSIG keys in .key/.private form, but there may be a use case for it that I've overlooked.)
--
Evan Hunt -- ea...@isc.org
Internet Systems Consortium, Inc.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
Carsten Strotmann
Mar 6, 2014, 1:59:46 PM3/6/14
to Evan Hunt, bind-...@lists.isc.org
Hello Evan,
Evan Hunt <ea...@isc.org> writes:
>> there could be a hard-link from a name like "tsig-keygen" to
>> "dnssec-keygen" which changes the type of key created to "-n HOST". That
>> would not require any change to the existing interface. Just an idea.
>
> Thanks, Carsten. I had actually had the same thought after writing my post
> last night, though I was thinking of making it a hard link to ddns-confgen
> rather than dnssec-keygen.
a link to "ddns-confgen" would work well
>
> (Question: is "ddns-confgen -q" an appropriate and useful format?
> I've never understood why anybody would want TSIG keys in .key/.private
> form, but there may be a use case for it that I've overlooked.)
Yes, it is most useful. I do not have a use-case for the .key/.private
form (except existing scripts that expect these formats).
-- Carsten
Evan Hunt <ea...@isc.org> writes:
>> there could be a hard-link from a name like "tsig-keygen" to
>> "dnssec-keygen" which changes the type of key created to "-n HOST". That
>> would not require any change to the existing interface. Just an idea.
>
> Thanks, Carsten. I had actually had the same thought after writing my post
> last night, though I was thinking of making it a hard link to ddns-confgen
> rather than dnssec-keygen.
>
> (Question: is "ddns-confgen -q" an appropriate and useful format?
> I've never understood why anybody would want TSIG keys in .key/.private
> form, but there may be a use case for it that I've overlooked.)
form (except existing scripts that expect these formats).
-- Carsten
Evan Hunt
Mar 19, 2014, 8:06:53 PM3/19/14
to Carsten Strotmann, bind-...@lists.isc.org
On Thu, Mar 06, 2014 at 11:34:45AM +0100, Carsten Strotmann wrote:
> there could be a hard-link from a name like "tsig-keygen" to
> "dnssec-keygen" which changes the type of key created to "-n HOST". That
> would not require any change to the existing interface. Just an idea.
>
> there could be a hard-link from a name like "tsig-keygen" to
> "dnssec-keygen" which changes the type of key created to "-n HOST". That
> would not require any change to the existing interface. Just an idea.
>
> I'm not suggesting to change the existing interface, as it will break
> existing stuff.
FYI, the "tsig-keygen" command is now available in 9.10.0b2. (Published
> existing stuff.
to the FTP site, should be on the web site shortly.)
Carsten Strotmann
Mar 21, 2014, 9:50:52 AM3/21/14
to Evan Hunt, bind-...@lists.isc.org
> On Thu, Mar 06, 2014 at 11:34:45AM +0100, Carsten Strotmann wrote:
>> there could be a hard-link from a name like "tsig-keygen" to
>> "dnssec-keygen" which changes the type of key created to "-n HOST". That
>> would not require any change to the existing interface. Just an idea.
>>
>> I'm not suggesting to change the existing interface, as it will break
>> existing stuff.
>
> FYI, the "tsig-keygen" command is now available in 9.10.0b2. (Published
> to the FTP site, should be on the web site shortly.)
Nice, thank you. I will test it.
>> there could be a hard-link from a name like "tsig-keygen" to
>> "dnssec-keygen" which changes the type of key created to "-n HOST". That
>> would not require any change to the existing interface. Just an idea.
>>
>> I'm not suggesting to change the existing interface, as it will break
>> existing stuff.
>
> FYI, the "tsig-keygen" command is now available in 9.10.0b2. (Published
> to the FTP site, should be on the web site shortly.)
-- Carsten
0 new messages