Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen

Gaurav Kansal gaurav.kansal at
Mon Mar 3 11:22:25 UTC 2014

Dear Team,


I am using RSASHA1 key generation algorithm for generating the KSK and ZSK.


Today, I tried to generate the algorithm using RSASHA512 and HMAC-SHA256

Key generation through RSASHA512 algorithm run successfully but while
generating the keys through HMAC-SHA512 algorithm, I am getting the
following error -


"dnssec-keygen: fatal: a key with algorithm 'HMAC-SHA512' cannot be a zone


I googled it and find a previous discussion on BIND Mailing list that HMAC-*
is used for generating keys for Host and not for Zone.


I have doubt in this only. What's the difference between Zone or Host ?? Is
it key generation for one client machine or what ?


I also want to know which algorithm is the best one on security aspects for
generating Keys for DNSSEC.



Thanks and Regards,

Gaurav Kansal

Emp Code - 6274

Mob - 9910118448

Intercom - 7331


Have you enabled IPv6 on something today...?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list