Re: dnssec-key 'unknown algorithm RSASHA512'

Fri, 12 Jan 2024 17:44:53 -0800

Oh, please do not forget to generate new my-tsig after sharing your current with all of us.
Next time please use named-checkconf -px named.conf.tsigkeys to filter out secrets. 


As Anand already wrote, shared keys are not asymmetric keys generated by 
dnssec-keygen. That have been split since 9.16 into separate generators 
focused only on shared keys. Use tsig-keygen or ddns-confgen to create 
shared keys. dnssec-keygen is now only for generating keys with .private 
part, which are used in DNSSEC signing only, used in zone files. Usually 
not for anything related to ACLs, as for example dynamic updates. 
ddns-confgen is exactly for that.


Cheers, Petr

On 1/11/24 12:58, trgapp16 via bind-users wrote:

Hello,
Bind version - 9.18.12

-->This is the command I used for generating dnssec-keygen keys -

root@dhcpt: /etc/bind# dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.com
Kexample.com.+013+43215.key
Kexample.com.+013+43215.private

root@dhcpt:/etc/bind# cat Kexample.com.+013+43215.private
Private-key-format: v1.3
Algorithm: 13 (ECDSAP256SHA256)
PrivateKey: ESkrVALONh7Rj4UZVsOy54Y2SIJiY5HYhoQdxJLuWPk=
Created: 20240111045202
Publish: 20240111045202
Activate: 20240111045202

-->With help of the private key i generated one file with name 
"named.conf.tsigkeys" at
/etc/bind -

  
root@dhcpt:/etc/bind# cat named.conf.tsigkeys


key "my-tsig" {
    algorithm "ECDSAP256SHA256";
    secret "ESkrVALONh7Rj4UZVsOy54Y2SIJiY5HYhoQdxJLuWPk=";
};

--> below is the error received when i restart named service

root@dhcpt:/etc/bind# named-checkconf
/etc/bind/named.conf.tsigkeys:2: unknown algorithm 'ECDSAP256SHA256'

Any help is greatly appreciated.

Regards,
Mounika


On Thu, 11 Jan 2024 15:49:18 +1100, Mark Andrews wrote

Firstly show what you are actually doing.  It it too much for you to actually
cut-and-paste what you are doing?

Secondly BIND 9.18 is at 9.18.22.  Version 9.18.8 is seriously out of date.


On 11 Jan 2024, at 15:21, pvs via bind-users<bind-users@lists.isc.org>  wrote:

Hello,

I'm  using ubuntu 22.04 server on which bind 9.18.8 service is running.
I'm trying to generate dnssec-key by using the command  "dnssec-keygen -a 
RSASHA512

-b 2048 -n zone example.com"

After doing this, it is generating both public key and private key.  When I 
generate

a file with aprivate key in /etc/bind directory, it is throwing error  'unknown
algorithm 'RSASHA512'

Same error is thrown when tried with other algorithms like ECDSAP256SHA256, 
RSASHA1,

RSASHA256 etc

Any help is greatly appreciated.

--
Regards,

पं. विष्णु शंकर P. Vishnu Sankar
टीम लीडर Team Leader-Network Operations
सी-डॉट C-DOT
इलैक्ट्रॉनिक्स सिटी फेज़ I Electronics City Phase I
होसूर रोड बेंगलूरु Hosur Road Bengaluru – 560100
फोन Ph 91 80 25119466
------------------------------------------------------
Disclaimer :
This email and any files transmitted with it are confidential and intended 
solely

for the use of the individual or entity to whom they are addressed.

If you are not the intended recipient you are notified that disclosing, copying,

distributing or taking any action in reliance on the contents of this 
information is
strictly prohibited.

The sender does not accept liability for any errors or omissions in the 
contents of

this message, which arise as a result.

--
Visithttps://lists.isc.org/mailman/listinfo/bind-users  to unsubscribe from this

list

ISC funds the development of this software with paid support subscriptions. 
Contact

us athttps://www.isc.org/contact/  for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET:ma...@isc.org

--
Visithttps://lists.isc.org/mailman/listinfo/bind-users  to unsubscribe from
this list

ISC funds the development of this software with paid support subscriptions.
Contact us athttps://www.isc.org/contact/  for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


### Please consider the environment and print this email only if necessary . Go 
Green
###
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Disclaimer :
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you are not the intended recipient you are notified that disclosing,
copying, distributing or taking any action in reliance on the contents of this
information is strictly prohibited. The sender does not accept liability
for any errors or omissions in the contents of this message, which arise as a
result.

--
Open WebMail Project (http://openwebmail.org)


--
Petr Menšík
Software Engineer, RHEL
Red Hat,https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to