Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Format of 'dig -k' "TSIG key file"?

1,203 views
Skip to first unread message

Joseph S D Yao

unread,
Aug 21, 2009, 5:52:27 PM8/21/09
to bind-...@lists.isc.org
After some experimenting, here is the whole answer, hinted at by one
response on this mailing list.

On Thu, Jul 30, 2009 at 05:40:54PM -0400, Joseph S D Yao wrote:
...
> In dig(1), the '-k' option is said to require a "TSIG key file" as an
> option. I have a TSIG file with a comment header and the following:
>
> key mynet. { algorithm hmac-md5; secret "Ain/tGonnaTellNoWay=="; };
...
> Running
> dig -k mynet.key axfr example.zone @other.example.zone
> gives me,
> Couldn't read key from mynet.key: label too long
...
> Removing the comment header gives me,
> Couldn't read key from mynet.key: unexpected token
>
> OK. Maybe 'dig' wants a KEY resource record file that looks like it
> came out of 'dnssec-keygen'. I changed it to:
> mynet. IN KEY 512 3 157 Ain/tGonnaTellNoWay==
> and the same command line, on a perfectly readable file, says:
> Couldn't read key from mynet.key: file not found
...

It turned out that this latter file was needed, but for some
inexplicable reason perhaps having to do with library routines [I have
not gone chasing down the code], it ALSO wants the "mynet.private" file!
So I created one:
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: Ain/tGonnaTellNoWay==
The hinted-at part that I had to test to find out is that it needed me
to create BOTH files from the "named.conf" include file, even though the
key and algorithm are the same in both.

Now,
dig -k mynet.key axfr example.zone @other.example.zone
works!

Thanks for all the public and especially the private discussion of this!


--
/*********************************************************************\
**
** Joe Yao js...@tux.org - Joseph S. D. Yao
**
\*********************************************************************/

Joseph S D Yao

unread,
Aug 21, 2009, 5:52:27 PM8/21/09
to

_______________________________________________
bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Joseph S D Yao

unread,
Aug 22, 2009, 9:15:13 AM8/22/09
to
On Sat, Aug 22, 2009 at 02:45:19PM +0200, Hauke Lampe wrote:
> Joseph S D Yao wrote:
>
> > It turned out that this latter file was needed, but for some
> > inexplicable reason perhaps having to do with library routines [I have
> > not gone chasing down the code], it ALSO wants the "mynet.private" file!
>
> The nsupdate manpages mentions this behaviour in the "BUGS" section:
>
> | BUGS
> | The TSIG key is redundantly stored in two separate files. This
> | is a consequence of nsupdate using the DST library for its
> | cryptographic operations, and may change in future releases.
>
> Maybe the dig manpage should, too, until it changes in future releases.


Given that the "new" 'nslookup' uses common library routines, this makes
sense. And I believe someone even mentioned that, which was a big hint.
I am just not used to looking in the 'nslookup' manual entry for
information on 'dig'. ;-)

Joseph S D Yao

unread,
Aug 22, 2009, 9:15:13 AM8/22/09
to Hauke Lampe, bind-...@lists.isc.org

Hauke Lampe

unread,
Aug 22, 2009, 8:45:19 AM8/22/09
to bind-...@lists.isc.org
Joseph S D Yao wrote:

> It turned out that this latter file was needed, but for some
> inexplicable reason perhaps having to do with library routines [I have
> not gone chasing down the code], it ALSO wants the "mynet.private" file!

The nsupdate manpages mentions this behaviour in the "BUGS" section:

| BUGS
| The TSIG key is redundantly stored in two separate files. This
| is a consequence of nsupdate using the DST library for its
| cryptographic operations, and may change in future releases.

Maybe the dig manpage should, too, until it changes in future releases.


Hauke.

signature.asc
dig.1.patch

Hauke Lampe

unread,
Aug 22, 2009, 8:45:19 AM8/22/09
to
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--===============6643001050888076450==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="------------enig6CC26F912A10FA596FF26B98"

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig6CC26F912A10FA596FF26B98
Content-Type: multipart/mixed; boundary="------------010802050302010804040409"

This is a multi-part message in MIME format.
--------------010802050302010804040409
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Joseph S D Yao wrote:

> It turned out that this latter file was needed, but for some
> inexplicable reason perhaps having to do with library routines [I have

> not gone chasing down the code], it ALSO wants the "mynet.private" file=
!

The nsupdate manpages mentions this behaviour in the "BUGS" section:

| BUGS
| The TSIG key is redundantly stored in two separate files. This
| is a consequence of nsupdate using the DST library for its
| cryptographic operations, and may change in future releases.

Maybe the dig manpage should, too, until it changes in future releases.


Hauke.

--------------010802050302010804040409
Content-Type: text/x-patch;
name="dig.1.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline;
filename="dig.1.patch"

--- dig.1.orig 2009-08-22 13:41:49.000000000 +0200
+++ dig.1 2009-08-22 14:44:52.000000000 +0200
@@ -200,9 +200,10 @@
.PP
To sign the DNS queries sent by
\fBdig\fR
-and their responses using transaction signatures (TSIG), specify a TSIG =
key file using the
+and their responses using transaction signatures (TSIG), specify a pair =
of TSIG key files using the
\fB\-k\fR
-option. You can also specify the TSIG key itself on the command line usi=
ng the
+option, which can be generated by
+\fBdnssec\-keygen\fR. You can also specify the TSIG key itself on the co=
mmand line using the
\fB\-y\fR
option;
\fIhmac\fR
@@ -561,6 +562,8 @@
.SH "BUGS"
.PP
There are probably too many query options.
+.PP
+The TSIG key is redundantly stored in two separate files. This is a cons=
equence of dig using the DST library for its cryptographic operations, an=


d may change in future releases.

.SH "COPYRIGHT"
Copyright \(co 2004\-2009 Internet Systems Consortium, Inc. ("ISC")
.br

--------------010802050302010804040409--

--------------enig6CC26F912A10FA596FF26B98
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqP6GYACgkQKIgAG9lfHFOQowCfYMx0kg3qRie07Y8E6LIiqiV7
CPYAoJJ6WUzD8uo+iLjCPBFYqob0hRig
=+rpL
-----END PGP SIGNATURE-----

--------------enig6CC26F912A10FA596FF26B98--

--===============6643001050888076450==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--===============6643001050888076450==--

0 new messages