I assume someone can answer this; but Google has not been able to be my
friend on this one.
In dig(1), the '-k' option is said to require a "TSIG key file" as an
option. I have a TSIG file with a comment header and the following:
key mynet. { algorithm hmac-md5; secret "Ain/tGonnaTellNoWay=="; };
[OK, so I changed the secret! and flattened it to one line.]
Running
dig -k mynet.key axfr example.zone @other.example.zone
gives me,
Couldn't read key from mynet.key: label too long
///////////////////////////////////////////////////////////////////////
// Hmmm. The first line of the comment is 71 characters (like this),
// and it must not like the comment.
///////////////////////////////////////////////////////////////////////
Removing the comment header gives me,
Couldn't read key from mynet.key: unexpected token
OK. Maybe 'dig' wants a KEY resource record file that looks like it
came out of 'dnssec-keygen'. I changed it to:
mynet. IN KEY 512 3 157 Ain/tGonnaTellNoWay==
and the same command line, on a perfectly readable file, says:
Couldn't read key from mynet.key: file not found
What does work is:
dig -y mynet.:Ain/tGonnaTellNoWay== axfr example.zone
@other.example.zone
but I really, really find this not altogether pleasant.
Plus, I'm curious to know what 'dig -k' really wants to see.
Possibly irrelevant, but the real key is 88 characters long (including
'=' pads). It was sent me by the owners of the other.example.zone name
server.
Thanks in advance!
--
/*********************************************************************\
**
** Joe Yao [email protected] - Joseph S. D. Yao
**
\*********************************************************************/
_______________________________________________
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
