DNS Keys

Newer BIND version support secure keys for the purpose of authentication and authorizing access to certain functions. This page allows you to generate keys for use in other sections. Specifically, after generation, a key can be used to secure your Other Servers connections.

Installing a Key

To create a new key, simply fill in a new Key ID, which must be an alphanumeric string with no whitespace, for example, mynewkey or supersecret or HenryThe8th. The Algorithm can usually safely remain at the default of hmac-md5. Finally, the Secret string must be a base64-encoded string.

Creating a Key with dnssec-keygen

To generate a base64-encoded string for use in the Secret string field, you can use the dnssec-keygen or dnskeygen utility that is included in most installations of BIND. You can even use a plain string encoded with the mmencode utility, though this will be significantly less secure than using an MD5 key. To create a key using dnssec-keygen, the following command line can be used with minor modifications to suit your server:

[root@delilah]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST delilah.swelltech.com  Kdelilah.swelltech.com.+157+06448  

In the above example, the second line is the output from the command, which gives you a hint about the filenames under which your new key is stored. In this case, two files were generated, named Kdelilah.swelltech.com.+157+06448.key and Kdelilah.swelltech.com.+157+06448.private. Both contain the newly generated key, and so you can view either to copy the key for pasting into the Webmin Secret string field. This key will also need to be made available to any servers that will be communicating with this server using security features.