Gaurav Kansal <gaurav.kan...@nic.in> writes:
> I was wondering if HMAC* keys are not used for zone then why the same > is displayed when we use "dnssec-keygen -h". the tool "dnssec-keygen" can be used to create both "zone" keys (with "-n ZONE") for DNSSEC zone signing, and "host" keys (with "-n HOST") for TSIG signing of the communication between hosts. Keys of type "zone" are public/private key pairs (https://en.wikipedia.org/wiki/Public-key_cryptography), whereas key of type "host" are symmetric keys (https://en.wikipedia.org/wiki/Symmetric-key_algorithm). To add to the confusion, "dnssec-keygen" generates two files when used with "-n HOST": shell> dnssec-keygen -a HMAC-MD5 -b 512 -n HOST ns1.example.com Kns1.example.com.+157+16495 shell> ls -l Kns1.example.com.+157+16495.* -rw------- 1 cas staff 124 Mar 6 08:48 Kns1.example.com.+157+16495.key -rw------- 1 cas staff 229 Mar 6 08:48 Kns1.example.com.+157+16495.private These are symmetric TSIG keys, both files contain the same secret key (although the filename-extensions migh indicate a public-private key pair)! To create a DNSSEC "zone" key, use: shell> dnssec-keygen -a RSASHA512 -b 2048 -n ZONE example.com Generating key pair...................+++ ..+++ Kexample.com.+010+18335 shell> ls -l Kexample.com.+010+18335.* -rw-r--r-- 1 cas staff 607 Mar 6 08:51 Kexample.com.+010+18335.key -rw------- 1 cas staff 1777 Mar 6 08:51 Kexample.com.+010+18335.private This time the file with the extension ".key" contains the public key (DNSKEY) resource record, and the file with the extension ".private" contains the private key. I agree that it might be nice to change "dnssec-keygen" to make the tool more userfriendly. The current state-of-things is because of historic developments in how DNSSEC came to birth. -- Carsten _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
