Re: dnssec-key 'unknown algorithm RSASHA512'
Oh, please do not forget to generate new my-tsig after sharing your current with all of us. Next time please use named-checkconf -px named.conf.tsigkeys to filter out secrets. As Anand already wrote, shared keys are not asymmetric keys generated by dnssec-keygen. That have been split since 9.16 into separate generators focused only on shared keys. Use tsig-keygen or ddns-confgen to create shared keys. dnssec-keygen is now only for generating keys with .private part, which are used in DNSSEC signing only, used in zone files. Usually not for anything related to ACLs, as for example dynamic updates. ddns-confgen is exactly for that. Cheers, Petr On 1/11/24 12:58, trgapp16 via bind-users wrote: Hello, Bind version - 9.18.12 -->This is the command I used for generating dnssec-keygen keys - root@dhcpt: /etc/bind# dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.com Kexample.com.+013+43215.key Kexample.com.+013+43215.private root@dhcpt:/etc/bind# cat Kexample.com.+013+43215.private Private-key-format: v1.3 Algorithm: 13 (ECDSAP256SHA256) PrivateKey: ESkrVALONh7Rj4UZVsOy54Y2SIJiY5HYhoQdxJLuWPk= Created: 20240111045202 Publish: 20240111045202 Activate: 20240111045202 -->With help of the private key i generated one file with name "named.conf.tsigkeys" at /etc/bind - root@dhcpt:/etc/bind# cat named.conf.tsigkeys key "my-tsig" { algorithm "ECDSAP256SHA256"; secret "ESkrVALONh7Rj4UZVsOy54Y2SIJiY5HYhoQdxJLuWPk="; }; --> below is the error received when i restart named service root@dhcpt:/etc/bind# named-checkconf /etc/bind/named.conf.tsigkeys:2: unknown algorithm 'ECDSAP256SHA256' Any help is greatly appreciated. Regards, Mounika On Thu, 11 Jan 2024 15:49:18 +1100, Mark Andrews wrote Firstly show what you are actually doing. It it too much for you to actually cut-and-paste what you are doing? Secondly BIND 9.18 is at 9.18.22. Version 9.18.8 is seriously out of date. On 11 Jan 2024, at 15:21, pvs via bind-users wrote: Hello, I'm using ubuntu 22.04 server on which bind 9.18.8 service is running. I'm trying to generate dnssec-key by using the command "dnssec-keygen -a RSASHA512 -b 2048 -n zone example.com" After doing this, it is generating both public key and private key. When I generate a file with aprivate key in /etc/bind directory, it is throwing error 'unknown algorithm 'RSASHA512' Same error is thrown when tried with other algorithms like ECDSAP256SHA256, RSASHA1, RSASHA256 etc Any help is greatly appreciated. -- Regards, पं. विष्णु शंकर P. Vishnu Sankar टीम लीडर Team Leader-Network Operations सी-डॉट C-DOT इलैक्ट्रॉनिक्स सिटी फेज़ I Electronics City Phase I होसूर रोड बेंगलूरु Hosur Road Bengaluru – 560100 फोन Ph 91 80 25119466 -- Disclaimer : This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. The sender does not accept liability for any errors or omissions in the contents of this message, which arise as a result. -- Visithttps://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us athttps://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET:ma...@isc.org -- Visithttps://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us athttps://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ### Please consider the environment and print this email only if necessary . Go Green ### Disclaimer : This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. The sender does not accept liability for any errors or omissions in the contents of this message, which arise as a result. -- Open WebMail Project (http://openwebmail.org) -- Petr Menšík Software Engineer, RHEL Red Hat,https://www.redhat.com/ PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development
Re: dnssec-key 'unknown algorithm RSASHA512'
On 11/01/2024 12:58, trgapp16 via bind-users wrote: Hi Mounika, [snip] -->With help of the private key i generated one file with name "named.conf.tsigkeys" at /etc/bind - root@dhcpt:/etc/bind# cat named.conf.tsigkeys key "my-tsig" { algorithm "ECDSAP256SHA256"; secret "ESkrVALONh7Rj4UZVsOy54Y2SIJiY5HYhoQdxJLuWPk="; }; --> below is the error received when i restart named service root@dhcpt:/etc/bind# named-checkconf /etc/bind/named.conf.tsigkeys:2: unknown algorithm 'ECDSAP256SHA256' ECDSAP256SHA256 is not a valid algorithm for TSIG keys. You're better off generating TSIG keys with the "tsig-keygen" command that ships with BIND. Check out its man page for more details on the algorithms you can use. Regards, Anand -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-key 'unknown algorithm RSASHA512'
Hello, Bind version - 9.18.12 -->This is the command I used for generating dnssec-keygen keys - root@dhcpt: /etc/bind# dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.com Kexample.com.+013+43215.key Kexample.com.+013+43215.private root@dhcpt:/etc/bind# cat Kexample.com.+013+43215.private Private-key-format: v1.3 Algorithm: 13 (ECDSAP256SHA256) PrivateKey: ESkrVALONh7Rj4UZVsOy54Y2SIJiY5HYhoQdxJLuWPk= Created: 20240111045202 Publish: 20240111045202 Activate: 20240111045202 -->With help of the private key i generated one file with name "named.conf.tsigkeys" at /etc/bind - root@dhcpt:/etc/bind# cat named.conf.tsigkeys key "my-tsig" { algorithm "ECDSAP256SHA256"; secret "ESkrVALONh7Rj4UZVsOy54Y2SIJiY5HYhoQdxJLuWPk="; }; --> below is the error received when i restart named service root@dhcpt:/etc/bind# named-checkconf /etc/bind/named.conf.tsigkeys:2: unknown algorithm 'ECDSAP256SHA256' Any help is greatly appreciated. Regards, Mounika On Thu, 11 Jan 2024 15:49:18 +1100, Mark Andrews wrote > Firstly show what you are actually doing. It it too much for you to actually > cut-and-paste what you are doing? > > Secondly BIND 9.18 is at 9.18.22. Version 9.18.8 is seriously out of date. > > > On 11 Jan 2024, at 15:21, pvs via bind-users > > wrote: > > > > Hello, > > > > I'm using ubuntu 22.04 server on which bind 9.18.8 service is running. > > I'm trying to generate dnssec-key by using the command "dnssec-keygen -a > > RSASHA512 -b 2048 -n zone example.com" > > > > After doing this, it is generating both public key and private key. When I > > generate a file with aprivate key in /etc/bind directory, it is throwing error 'unknown algorithm 'RSASHA512' > > Same error is thrown when tried with other algorithms like ECDSAP256SHA256, > > RSASHA1, RSASHA256 etc > > Any help is greatly appreciated. > > > > -- > > Regards, > > > > पं. विष्णु शंकर P. Vishnu Sankar > > टीम लीडर Team Leader-Network Operations > > सी-डॉट C-DOT > > इलैक्ट्रॉनिक्स सिटी फेज़ I Electronics City Phase I > > होसूर रोड बेंगलूरु Hosur Road Bengaluru – 560100 > > फोन Ph 91 80 25119466 > > -- > > Disclaimer : > > This email and any files transmitted with it are confidential and intended > > solely for the use of the individual or entity to whom they are addressed. > > If you are not the intended recipient you are notified that disclosing, > > copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. > > The sender does not accept liability for any errors or omissions in the > > contents of this message, which arise as a result. > > -- > > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > > this list > > > > ISC funds the development of this software with paid support subscriptions. > > Contact us at https://www.isc.org/contact/ for more information. > > > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ### Please consider the environment and print this email only if necessary . Go Green ### Disclaimer : This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. The sender does not accept liability for any errors or omissions in the contents of this message, which arise as a result. -- Open WebMail Project (http://openwebmail.org) -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-key 'unknown algorithm RSASHA512'
Firstly show what you are actually doing. It it too much for you to actually cut-and-paste what you are doing? Secondly BIND 9.18 is at 9.18.22. Version 9.18.8 is seriously out of date. > On 11 Jan 2024, at 15:21, pvs via bind-users wrote: > > Hello, > > I'm using ubuntu 22.04 server on which bind 9.18.8 service is running. > I'm trying to generate dnssec-key by using the command "dnssec-keygen -a > RSASHA512 -b 2048 -n zone example.com" > > After doing this, it is generating both public key and private key. When I > generate a file with aprivate key in /etc/bind directory, it is throwing > error 'unknown algorithm 'RSASHA512' > Same error is thrown when tried with other algorithms like ECDSAP256SHA256, > RSASHA1, RSASHA256 etc > Any help is greatly appreciated. > > -- > Regards, > > पं. विष्णु शंकर P. Vishnu Sankar > टीम लीडर Team Leader-Network Operations > सी-डॉट C-DOT > इलैक्ट्रॉनिक्स सिटी फेज़ I Electronics City Phase I > होसूर रोड बेंगलूरु Hosur Road Bengaluru – 560100 > फोन Ph 91 80 25119466 > -- > Disclaimer : > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > If you are not the intended recipient you are notified that disclosing, > copying, distributing or taking any action in reliance on the contents of > this information is strictly prohibited. > The sender does not accept liability for any errors or omissions in the > contents of this message, which arise as a result. > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dnssec-key 'unknown algorithm RSASHA512'
Hello, I'm using ubuntu 22.04 server on which bind 9.18.8 service is running. I'm trying to generate dnssec-key by using the command "dnssec-keygen -a RSASHA512 -b 2048 -n zone example.com" After doing this, it is generating both public key and private key. When I generate a file with aprivate key in /etc/bind directory, it is throwing error 'unknown algorithm 'RSASHA512' Same error is thrown when tried with other algorithms like ECDSAP256SHA256, RSASHA1, RSASHA256 etc Any help is greatly appreciated. -- Regards, पं. विष्णु शंकर P. Vishnu Sankar टीम लीडरTeam Leader-Network Operations सी-डॉट C-DOT इलैक्ट्रॉनिक्स सिटी फेज़ IElectronics City Phase I होसूर रोड बेंगलूरु Hosur Road Bengaluru – 560100 फोन Ph91 80 25119466 -- Disclaimer : This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. The sender does not accept liability for any errors or omissions in the contents of this message, which arise as a result. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users