Reputation: 389
dnssec-dsfromkey showing unknown algorithm error
dsfromkey command to generate ds record with following digest types DSA/SHA1, RSA/SHA-1,DSA-NSEC3-SHA1, RSA/SHA-512, GOST R 34.10-2001 etc
I am using the following command
dnssec-dsfromkey -a keyfile
eg:
dnssec-dsfromkey -a GOST keyfile
But its showing
dnssec-dsfromkey: fatal: unknown algorithm GOST
And I am using the bind version BIND 9.9.4-RedHat-9.9.4-61.el7_5.1
Any helps will be appreciated.
Upvotes: 1
Views: 382
Answers (1)
Reputation: 12595
The documentation seems misleading.
Watching the bind9 source code from its git repository you can see that the -a option in dnssec-dsfromkey is handled by the function strtodsdigest which is short enough to be reproduced below and as you can see, no traces of GOST in that, so no GOST for you (or anyone else with these sources)!
unsigned int
strtodsdigest(const char *algname) {
if (strcasecmp(algname, "SHA1") == 0 ||
strcasecmp(algname, "SHA-1") == 0)
{
return (DNS_DSDIGEST_SHA1);
} else if (strcasecmp(algname, "SHA256") == 0 ||
strcasecmp(algname, "SHA-256") == 0)
{
return (DNS_DSDIGEST_SHA256);
} else if (strcasecmp(algname, "SHA384") == 0 ||
strcasecmp(algname, "SHA-384") == 0)
{
return (DNS_DSDIGEST_SHA384);
} else {
fatal("unknown algorithm %s", algname);
}
}
Now studying the change https://gitlab.isc.org/isc-projects/bind9/commit/27593e65dc4f1565bb45d91eb561a504da627c41 released 3 months ago where GOST is completely removed you can see, specifically at https://gitlab.isc.org/isc-projects/bind9/commit/27593e65dc4f1565bb45d91eb561a504da627c41#18b3c86fc6dac451f69355fe2f743d98b043255a that the above piece of code had previously:
#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
} else if (strcasecmp(algname, "GOST") == 0) {
return (DNS_DSDIGEST_GOST);
#endif
Which means that the bind you had regarding GOST support was dependent on how it was compiled and if the associated openssl/pkcs11 libraries had GOST support or not.
I guess your specific RedHat package was compiled without GOST support anyway.
So you will need either to find another package or compile it yourself with appropriate flags (--enable-gost at configure time), but not the latest source code because as I have stated above GOST has been now completely removed.
See https://kb.isc.org/article/AA-01636/0/BIND-9.13.2-Release-Notes.html that says:
Support for ECC-GOST (GOST R 34.11-94) algorithm has been removed from BIND as the algorithm has been superseded by GOST R 34.11-2012 in RFC6986 and it must not be used in new deployments. BIND will neither create new DNSSEC keys, signatures and digest, nor it will validate them.
Which prompts the question: do you really need to support GOST or could you switch to another algorithm?
Upvotes: 1
Related Questions
- dnsjava - How to do a Lookup with DNSSEC validation?
- How To Enable Unbound DNSSEC DNS Resolver On Mac OS X 10.10.3 Yosemite
- How to generate ECDSA private and public key for DNSSEC using OpenSSL?
- Why ECDSA public key generated by OpenSSL doesn't match DNSKEY generated by DNS server?
- Create RSA SHA-256 (DNSSEC valid) keys?
- DNSSEC using dnspython error: AttributeError: 'NS' object has no attribute 'is_absolute'
- How do I enable DNSSEC in my CPANEL or VPS
- where and how to submit DNSSEC DS record for a IDN ccTLD
- dnssec-keygen outputfile with DSA private key
- RFC 4035 dnssec zone apex term