Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen
Hello Evan, Evan Hunt e...@isc.org writes: On Thu, Mar 06, 2014 at 11:34:45AM +0100, Carsten Strotmann wrote: there could be a hard-link from a name like tsig-keygen to dnssec-keygen which changes the type of key created to -n HOST. That would not require any change to the existing interface. Just an idea. I'm not suggesting to change the existing interface, as it will break existing stuff. FYI, the tsig-keygen command is now available in 9.10.0b2. (Published to the FTP site, should be on the web site shortly.) Nice, thank you. I will test it. -- Carsten ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen
On Thu, Mar 06, 2014 at 11:34:45AM +0100, Carsten Strotmann wrote: there could be a hard-link from a name like tsig-keygen to dnssec-keygen which changes the type of key created to -n HOST. That would not require any change to the existing interface. Just an idea. I'm not suggesting to change the existing interface, as it will break existing stuff. FYI, the tsig-keygen command is now available in 9.10.0b2. (Published to the FTP site, should be on the web site shortly.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen
On Thu, Mar 06, 2014 at 08:55:28AM +0100, Carsten Strotmann wrote: I agree that it might be nice to change dnssec-keygen to make the tool more userfriendly. The current state-of-things is because of historic developments in how DNSSEC came to birth. ...and lots of people dealing with dnssec-keygen's user-unfriendliness by writing shell scripts to run it, which will break if we change its interface now. A lot of old mistakes have gotten chiseled into stone by that. I've long wanted to write a replacement for the zone key functions of dnssec-keygen (or at least a sensible wrapper), so that DNSSEC keys could be generated according to a configured policy rather than command-line alphabet soup. For generating host keys, I suggest ddns-confgen rather than dnssec-keygen. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen
Nothing is ever set in stone that hard. Sorry they wrote scripts for it. All apologies they decided to use Elmer's glue instead of high tensile strength super carbon based cement. They will just have to amend those temp scripts with some test cases or you can write a compatibility shim with an expiration clause with an annoying warning message. I recall spending a LOT of time with DNSSEC figuring out all the nonsense but like anything else stability and friendliness has to start somewhere. And development should not be impeded by adoption of bad practices. Fix the root cause not the symptom. -- Jason Hellenthal Voice: 95.30.17.6/616 JJH48-ARIN On Mar 6, 2014, at 3:11, Evan Hunt e...@isc.org wrote: On Thu, Mar 06, 2014 at 08:55:28AM +0100, Carsten Strotmann wrote: I agree that it might be nice to change dnssec-keygen to make the tool more userfriendly. The current state-of-things is because of historic developments in how DNSSEC came to birth. ...and lots of people dealing with dnssec-keygen's user-unfriendliness by writing shell scripts to run it, which will break if we change its interface now. A lot of old mistakes have gotten chiseled into stone by that. I've long wanted to write a replacement for the zone key functions of dnssec-keygen (or at least a sensible wrapper), so that DNSSEC keys could be generated according to a configured policy rather than command-line alphabet soup. For generating host keys, I suggest ddns-confgen rather than dnssec-keygen. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen
Jason Hellenthal jhellent...@dataix.net wrote: I recall spending a LOT of time with DNSSEC figuring out all the nonsense but like anything else stability and friendliness has to start somewhere. And development should not be impeded by adoption of bad practices. Fix the root cause not the symptom. dnssec-keygen actually has quite sane defaults, but unfortunately the man page is not great at saying which options can be ignored because they are cruft from the 1990s. It could do with better examples too. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ South Utsire, Forties: Southwesterly 5 to 7, perhaps gale 8 later. Moderate or rough. Rain. Moderate or poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen
On 06/03/14 08:53, Tony Finch wrote: Jason Hellenthal jhellent...@dataix.net wrote: I recall spending a LOT of time with DNSSEC figuring out all the nonsense but like anything else stability and friendliness has to start somewhere. And development should not be impeded by adoption of bad practices. Fix the root cause not the symptom. dnssec-keygen actually has quite sane defaults, but unfortunately the man Agreed. The first couple of times you figure the options takes a bit of time, but once you've done that, dnssec-keygen is really quite inoffensive. Frankly there are a bucketload of Unix tools whose more esoteric behaviour I've never bothered to memorise; the key is for help and man pages to be sane. I'm constantly doing man find... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen
Hi Evan, Evan Hunt e...@isc.org writes: On Thu, Mar 06, 2014 at 08:55:28AM +0100, Carsten Strotmann wrote: I agree that it might be nice to change dnssec-keygen to make the tool more userfriendly. The current state-of-things is because of historic developments in how DNSSEC came to birth. ...and lots of people dealing with dnssec-keygen's user-unfriendliness by writing shell scripts to run it, which will break if we change its interface now. A lot of old mistakes have gotten chiseled into stone by that. there could be a hard-link from a name like tsig-keygen to dnssec-keygen which changes the type of key created to -n HOST. That would not require any change to the existing interface. Just an idea. I'm not suggesting to change the existing interface, as it will break existing stuff. -- Carsten ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen
there could be a hard-link from a name like tsig-keygen to dnssec-keygen which changes the type of key created to -n HOST. That would not require any change to the existing interface. Just an idea. Thanks, Carsten. I had actually had the same thought after writing my post last night, though I was thinking of making it a hard link to ddns-confgen rather than dnssec-keygen. (Question: is ddns-confgen -q an appropriate and useful format? I've never understood why anybody would want TSIG keys in .key/.private form, but there may be a use case for it that I've overlooked.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen
At the time of posting this question, I didn't think that this thread will cause this much of discussion. :) Thanks to all for nice explanation and help. Regards, Gaurav Kansal -Original Message- From: bind-users-bounces+gaurav.kansal=nic...@lists.isc.org [mailto:bind-users-bounces+gaurav.kansal=nic...@lists.isc.org] On Behalf Of Evan Hunt Sent: Thursday, March 6, 2014 10:08 PM To: Carsten Strotmann Cc: bind-users@lists.isc.org Subject: Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen there could be a hard-link from a name like tsig-keygen to dnssec-keygen which changes the type of key created to -n HOST. That would not require any change to the existing interface. Just an idea. Thanks, Carsten. I had actually had the same thought after writing my post last night, though I was thinking of making it a hard link to ddns-confgen rather than dnssec-keygen. (Question: is ddns-confgen -q an appropriate and useful format? I've never understood why anybody would want TSIG keys in .key/.private form, but there may be a use case for it that I've overlooked.) -- Evan Hunt -- mailto:e...@isc.org e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list mailto:bind-users@lists.isc.org bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen
Hello Evan, Evan Hunt e...@isc.org writes: there could be a hard-link from a name like tsig-keygen to dnssec-keygen which changes the type of key created to -n HOST. That would not require any change to the existing interface. Just an idea. Thanks, Carsten. I had actually had the same thought after writing my post last night, though I was thinking of making it a hard link to ddns-confgen rather than dnssec-keygen. a link to ddns-confgen would work well (Question: is ddns-confgen -q an appropriate and useful format? I've never understood why anybody would want TSIG keys in .key/.private form, but there may be a use case for it that I've overlooked.) Yes, it is most useful. I do not have a use-case for the .key/.private form (except existing scripts that expect these formats). -- Carsten ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen
HI Tony, Thanks for help. I was wondering if HMAC* keys are not used for zone then why the same is displayed when we use dnssec-keygen -h. Regards, Gaurav Kansal -Original Message- From: Tony Finch [mailto:fa...@hermes.cam.ac.uk] On Behalf Of Tony Finch Sent: Monday, March 3, 2014 3:58 AM To: Gaurav Kansal Cc: bind-users@lists.isc.org Subject: Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen Gaurav Kansal mailto:gaurav.kan...@nic.in gaurav.kan...@nic.in wrote: I have doubt in this only. What's the difference between Zone or Host ?? Zone keys are used for DNSSEC signing zones. Host keys are used for TSIG transaction authentication, for securing zone transfers or dynamic updates. I also want to know which algorithm is the best one on security aspects for generating Keys for DNSSEC. Your security is affected more by how you store the keys than anything else. RSASHA256 is fine. Tony. -- f.anthony.n.finch mailto:d...@dotat.at d...@dotat.at http://dotat.at/ http://dotat.at/ Faeroes: East or southeast 5 to 7. Rough or very rough. Rain. Moderate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen
On 3/6/14, 12:40 AM, Gaurav Kansal wrote: I was wondering if HMAC* keys are not used for zone then why the same is displayed when we use dnssec-keygen -h Because dnssec-keygen is used to generate more than just DNSSEC zone keys. AlanC signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen
Gaurav Kansal gaurav.kan...@nic.in writes: I was wondering if HMAC* keys are not used for zone then why the same is displayed when we use dnssec-keygen -h. the tool dnssec-keygen can be used to create both zone keys (with -n ZONE) for DNSSEC zone signing, and host keys (with -n HOST) for TSIG signing of the communication between hosts. Keys of type zone are public/private key pairs (https://en.wikipedia.org/wiki/Public-key_cryptography), whereas key of type host are symmetric keys (https://en.wikipedia.org/wiki/Symmetric-key_algorithm). To add to the confusion, dnssec-keygen generates two files when used with -n HOST: shell dnssec-keygen -a HMAC-MD5 -b 512 -n HOST ns1.example.com Kns1.example.com.+157+16495 shell ls -l Kns1.example.com.+157+16495.* -rw--- 1 cas staff 124 Mar 6 08:48 Kns1.example.com.+157+16495.key -rw--- 1 cas staff 229 Mar 6 08:48 Kns1.example.com.+157+16495.private These are symmetric TSIG keys, both files contain the same secret key (although the filename-extensions migh indicate a public-private key pair)! To create a DNSSEC zone key, use: shell dnssec-keygen -a RSASHA512 -b 2048 -n ZONE example.com Generating key pair...+++ ..+++ Kexample.com.+010+18335 shell ls -l Kexample.com.+010+18335.* -rw-r--r-- 1 cas staff 607 Mar 6 08:51 Kexample.com.+010+18335.key -rw--- 1 cas staff 1777 Mar 6 08:51 Kexample.com.+010+18335.private This time the file with the extension .key contains the public key (DNSKEY) resource record, and the file with the extension .private contains the private key. I agree that it might be nice to change dnssec-keygen to make the tool more userfriendly. The current state-of-things is because of historic developments in how DNSSEC came to birth. -- Carsten ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen
Gaurav Kansal gaurav.kan...@nic.in wrote: I have doubt in this only. What's the difference between Zone or Host ?? Zone keys are used for DNSSEC signing zones. Host keys are used for TSIG transaction authentication, for securing zone transfers or dynamic updates. I also want to know which algorithm is the best one on security aspects for generating Keys for DNSSEC. Your security is affected more by how you store the keys than anything else. RSASHA256 is fine. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Faeroes: East or southeast 5 to 7. Rough or very rough. Rain. Moderate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users