I am reading: https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-bind-rndc.html I have bind installed and default config running. I have not applied my customizations yet. The first step I am taking is getting rndc.key created. So reading the guide I am trying to run (while logged in as root, and in /etc): dnssec-keygen -a hmac-md5 -b 256 -n HOST rndc.key The system is just sitting there and doing nothing. I have sshed as another session and do not see any processing being done by dnssec-keygen. Has anyone else done this? Am I doing things in the right order? If it works for others, then there is something wrong with my setup...
On 12/24/2015 12:40 PM, Robert Moskowitz wrote:> I am reading: > > https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-bind-rndc.html > > I have bind installed and default config running. I have not applied my > customizations yet. The first step I am taking is getting rndc.key > created. So reading the guide I am trying to run (while logged in as > root, and in /etc): > > dnssec-keygen -a hmac-md5 -b 256 -n HOST rndc.key > > The system is just sitting there and doing nothing. I have sshed as > another session and do not see any processing being done by dnssec-keygen. > > Has anyone else done this? Am I doing things in the right order? If it > works for others, then there is something wrong with my setup...It's working fine for me. I'm using the command ldns-keygen to generate keys though - e.g. ZSK=`/usr/bin/ldns-keygen -a RSASHA1-NSEC3-SHA1 -b 1024 ${zone}` and KSK=`/usr/bin/ldns-keygen -k -a RSASHA1-NSEC3-SHA1 -b 2048 ${zone}` ldns-keygen is from the ldns package. Mine is currently all scripted and automated, has been for months - I started with an Ubuntu tutorial though, not CentOS documentation, and adapted it. I'll have to look at the scripts I wrote more carefully when I get home (wonder if I should be using different than SHA1 now too? I'll have to research that) -- -=- Sent my from my laptop, may not be able to respond timely
On 12/24/2015 03:50 PM, Alice Wonder wrote:> > > On 12/24/2015 12:40 PM, Robert Moskowitz wrote: >> I am reading: >> >> https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-bind-rndc.html >> >> >> I have bind installed and default config running. I have not applied my >> customizations yet. The first step I am taking is getting rndc.key >> created. So reading the guide I am trying to run (while logged in as >> root, and in /etc): >> >> dnssec-keygen -a hmac-md5 -b 256 -n HOST rndc.key >> >> The system is just sitting there and doing nothing. I have sshed as >> another session and do not see any processing being done by >> dnssec-keygen. >> >> Has anyone else done this? Am I doing things in the right order? If it >> works for others, then there is something wrong with my setup... > > It's working fine for me. > > I'm using the command ldns-keygen to generate keys though - e.g. > > ZSK=`/usr/bin/ldns-keygen -a RSASHA1-NSEC3-SHA1 -b 1024 ${zone}` > > and > > KSK=`/usr/bin/ldns-keygen -k -a RSASHA1-NSEC3-SHA1 -b 2048 ${zone}` > > ldns-keygen is from the ldns package. > > Mine is currently all scripted and automated, has been for months - I > started with an Ubuntu tutorial though, not CentOS documentation, and > adapted it. > > I'll have to look at the scripts I wrote more carefully when I get > home (wonder if I should be using different than SHA1 now too? I'll > have to research that)Right now all I want working is rndc. dnssec will be worked on come spring. With all I do in security, it bothers me that the Centos documentation specifies MD5. Should be at least SHA1, if not SHA256.