Red Hat Bugzilla – Bug 236942
dnssec-keygen refuses to generate keys
Last modified: 2013-04-30 19:35:51 EDT
Description of problem: The dnssec-keygen key generation utility refuses to generate keys using many of the supported (according to the man page) algorithms. Version-Release number of selected component (if applicable): [root@executor ~]# rpm -qa | grep bind bind-utils-9.3.4-3.fc6 system-config-bind-4.0.1-2.fc6 bind-libs-9.3.4-3.fc6 bind-9.3.4-3.fc6 ypbind-1.19-6.fc6 How reproducible: always Steps to Reproduce: 1.Run the command line as root: [root@executor ~]# dnssec-keygen -a RSASHA1 -b 512 -n HOST executor.mylan.lan 2.Observe the error message: "dnssec-keygen: invalid DNSKEY nametype HOST" 3.Run the command line as root: [root@executor ~]# dnssec-keygen -a HMAC-MD5 -b 512 -n HOST executor.mylan.lan 4.Observe successful key generation Actual results: With RSASHA1, DSA, and presumably more (these were the only two I tested before I hit success with HMAC-MD5), the command throws an error. Expected results: I expected a key to be generated using the specified algorithm Additional info: I found this bug showing up elsewhere: http://bugs.donarmstrong.com/cgi-bin/bugreport.cgi?bug=332988
Of course that "dnssec-keygen -a RSASHA1 -b 512 -n HOST executor.mylan.lan" fails because name type isn't allowed to DNSKEY. Please see dnssec-keygen manpage (especially -n option to allowed keytype/nametype pairs and -k option - it generated KEY instead DNSKEY). "dnssec-keygen -a RSASHA1 -b 512 -n HOST -k executor.mylan.lan" works perfectly. Regards, Adam