[CentOS] Centos7 poblems with dnssec-keygen
Robert Moskowitz
rgm at htt-consult.com
Thu Dec 24 20:54:59 UTC 2015
On 12/24/2015 03:50 PM, Alice Wonder wrote:
>
>
> On 12/24/2015 12:40 PM, Robert Moskowitz wrote:
>> I am reading:
>>
>> https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-bind-rndc.html
>>
>>
>> I have bind installed and default config running. I have not applied my
>> customizations yet. The first step I am taking is getting rndc.key
>> created. So reading the guide I am trying to run (while logged in as
>> root, and in /etc):
>>
>> dnssec-keygen -a hmac-md5 -b 256 -n HOST rndc.key
>>
>> The system is just sitting there and doing nothing. I have sshed as
>> another session and do not see any processing being done by
>> dnssec-keygen.
>>
>> Has anyone else done this? Am I doing things in the right order? If it
>> works for others, then there is something wrong with my setup...
>
> It's working fine for me.
>
> I'm using the command ldns-keygen to generate keys though - e.g.
>
> ZSK=`/usr/bin/ldns-keygen -a RSASHA1-NSEC3-SHA1 -b 1024 ${zone}`
>
> and
>
> KSK=`/usr/bin/ldns-keygen -k -a RSASHA1-NSEC3-SHA1 -b 2048 ${zone}`
>
> ldns-keygen is from the ldns package.
>
> Mine is currently all scripted and automated, has been for months - I
> started with an Ubuntu tutorial though, not CentOS documentation, and
> adapted it.
>
> I'll have to look at the scripts I wrote more carefully when I get
> home (wonder if I should be using different than SHA1 now too? I'll
> have to research that)
Right now all I want working is rndc. dnssec will be worked on come spring.
With all I do in security, it bothers me that the Centos documentation
specifies MD5. Should be at least SHA1, if not SHA256.
More information about the CentOS
mailing list