Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen

Tony Finch dot at
Mon Mar 3 11:57:32 UTC 2014

Gaurav Kansal <gaurav.kansal at> wrote:
> I have doubt in this only. What's the difference between Zone or Host ??

Zone keys are used for DNSSEC signing zones.

Host keys are used for TSIG transaction authentication, for securing zone
transfers or dynamic updates.

> I also want to know which algorithm is the best one on security aspects for
> generating Keys for DNSSEC.

Your security is affected more by how you store the keys than anything
else. RSASHA256 is fine.

f.anthony.n.finch  <dot at>
Faeroes: East or southeast 5 to 7. Rough or very rough. Rain. Moderate.

More information about the bind-users mailing list