CentOS7 Poblems With Dnssec-keygen

Home » CentOS » CentOS7 Poblems With Dnssec-keygen
CentOS 4 Comments

I am reading:

https://www.CentOS.org/docs/5/html/Deployment_Guide-en-US/s1-bind-rndc.html

I have bind installed and default config running. I have not applied my customizations yet. The first step I am taking is getting rndc.key created. So reading the guide I am trying to run (while logged in as root, and in /etc):

dnssec-keygen -a hmac-md5 -b 256 -n HOST rndc.key

The system is just sitting there and doing nothing. I have sshed as another session and do not see any processing being done by dnssec-keygen.

Has anyone else done this? Am I doing things in the right order? If it works for others, then there is something wrong with my setup…

4 thoughts on - CentOS7 Poblems With Dnssec-keygen

  • It’s working fine for me.

    I’m using the command ldns-keygen to generate keys though – e.g.

    ZSK=`/usr/bin/ldns-keygen -a RSASHA1-NSEC3-SHA1 -b 1024 ${zone}`

    and

    KSK=`/usr/bin/ldns-keygen -k -a RSASHA1-NSEC3-SHA1 -b 2048 ${zone}`

    ldns-keygen is from the ldns package.

    Mine is currently all scripted and automated, has been for months – I
    started with an Ubuntu tutorial though, not CentOS documentation, and adapted it.

    I’ll have to look at the scripts I wrote more carefully when I get home
    (wonder if I should be using different than SHA1 now too? I’ll have to research that)

  • Right now all I want working is rndc. dnssec will be worked on come spring.

    With all I do in security, it bothers me that the CentOS documentation specifies MD5. Should be at least SHA1, if not SHA256.

  • Oh okay I apoligize, I mis-read your post as asking about generating DNSSEC keys, due to the command name you were using.

    I have no clue about bind / rndc, I use NSD for authoritative.

    Sorry about the noise.

  • Not a problem.

    Turns out, this is on an armv7 with the new C7-arm port and there are no (or too few) processes running for there to be anything in
    /dev/random. I was told to open up an SSH session and run

    dd if=/dev/mmcblk0p3 of=/dev/null

    Once that finished, the keygen finished in my console session.