Bind9

如何為 certbot 外掛“certbot-dns-rfc2136”生成 TSIG 密鑰

  • June 7, 2019

我正在配置 BIND9 以從Let’s Encrypt獲取萬用字元證書。當我嘗試根據此處的說明生成 TSIG 密鑰時,出現以下錯誤:

# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST keyname.
dnssec-keygen: fatal: unknown algorithm HMAC-SHA512

然後我閱讀了有關的幫助和文件dnssec-keygen,確實沒有稱為HMAC-SHA512 的算法:

# dnssec-keygen -h
Usage:
   dnssec-keygen [options] name

Version: 9.14.2
   name: owner of the key
Options:
   -K <directory>: write keys into directory
   -a <algorithm>:
       RSASHA1 | NSEC3RSASHA1 |
       RSASHA256 | RSASHA512 |
       ECDSAP256SHA256 | ECDSAP384SHA384 |
       ED25519 | ED448 | DH
   -3: use NSEC3-capable algorithm
   -b <key size in bits>:
       RSASHA1:        [1024..4096]
       NSEC3RSASHA1:   [1024..4096]
       RSASHA256:      [1024..4096]
       RSASHA512:      [1024..4096]
       DH:             [128..4096]
       ECDSAP256SHA256:        ignored
       ECDSAP384SHA384:        ignored
       ED25519:        ignored
       ED448:  ignored
       (key size defaults are set according to
       algorithm and usage (ZSK or KSK)
   -n <nametype>: ZONE | HOST | ENTITY | USER | OTHER
       (DNSKEY generation defaults to ZONE)
   -c <class>: (default: IN)
   -d <digest bits> (0 => max, default)
   -E <engine>:
       name of an OpenSSL engine to use
   -f <keyflag>: KSK | REVOKE
   -g <generator>: use specified generator (DH only)
   -L <ttl>: default key TTL
   -p <protocol>: (default: 3 [dnssec])
   -s <strength>: strength value this key signs DNS records with (default: 0)
   -T <rrtype>: DNSKEY | KEY (default: DNSKEY; use KEY for SIG(0))
   -t <type>: AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF (default: AUTHCONF)
   -h: print usage and exit
   -m <memory debugging mode>:
      usage | trace | record | size | mctx
   -v <level>: set verbosity level (0 - 10)
   -V: print version information
Timing options:
   -P date/[+-]offset/none: set key publication date (default: now)
   -P sync date/[+-]offset/none: set CDS and CDNSKEY publication date
   -A date/[+-]offset/none: set key activation date (default: now)
   -R date/[+-]offset/none: set key revocation date
   -I date/[+-]offset/none: set key inactivation date
   -D date/[+-]offset/none: set key deletion date
   -D sync date/[+-]offset/none: set CDS and CDNSKEY deletion date
   -G: generate key only; do not set -P or -A
   -C: generate a backward-compatible key, omitting all dates
   -S <key>: generate a successor to an existing key
   -i <interval>: prepublication interval for successor key (default: 30 days)
Output:
    K<name>+<alg>+<id>.key, K<name>+<alg>+<id>.private

我探勘了另一個問題:無法通過 dnssec-keygen 生成密鑰,但我的問題仍未解決。

我該怎麼辦?

經過一番搜尋,我發現外掛的文件certbot-dns-rfc2136已經過時了!

在 BIND9 的官方 git 儲存庫中,我發現了以下送出消息

  1. $$ func $$ 不推薦使用 dnssec-keygen 來生成 HMAC 密鑰,而使用 tsig-keygen。用於此目的時,dnssec-keygen 將列印警告。在未來的版本中,所有 HMAC 算法都將從 dnssec-keygen 中刪除。$$ RT #42272 $$

所以,最終的解決方案是:

tsig-keygen -a hmac-sha512 tsig-key > /etc/bind/tsig.key

引用自:https://unix.stackexchange.com/questions/523565

相關問答

Linux

如何從主要區域引用另一個 DNS 條目 (BIND 9)

  • May 9, 2022
檢視問答
Linux

如果在主機上找到名為 bind9/dnsmasq 的名稱,則阻止 resolvconf 包分配 localhost

  • January 11, 2022
檢視問答
Linux

bind9 - 超時解決

  • November 15, 2021
檢視問答
Dns

如何列出我的 BIND9 作為主機管理的所有域名?

  • April 14, 2020
檢視問答
Dns

使用 Bind9 進行正向反向查找

  • January 30, 2020
檢視問答
Debian

為什麼 bind9-host 中的主機被/被棄用以及何時被棄用?

  • January 4, 2020
檢視問答