Kevin Darcy said:
> I don't claim to be a crypto expert, but I thought keys of type "ZONE"
> were only for the whole DNSSEC shebang (KEY/DNSKEY records, etc.). The
> dhcp.conf man page example uses a "USER" key type, and I've always used
> a "HOST" key type. Have you tried either of those?
>
>
> - Kevin


Good point.
Running

dnssec-keygen -a HMAC-MD5 -b 128 -p 3 -n ZONE kahn.tnd.lan

gives me an error, "a key with algorithm 'HMAC-MD5' cannot be a zone key".
better to use HOST :

dnssec-keygen -a HMAC-MD5 -b 128 -p 3 -n HOST kahn.tnd.lan

which generates a good key pair. Although, the key data in the config
files can be any old data string, as long as its the right length, and
having it the wrong length may have caused the problem.


--
Kerry Thompson
IT Security Consultant
http://www.crypt.gen.nz