Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen

Gaurav Kansal gaurav.kansal at nic.in
Thu Mar 6 05:40:22 UTC 2014


HI Tony,

 

Thanks for help.

I was wondering if HMAC* keys are not used for zone then why the same is
displayed when we use "dnssec-keygen -h".

 

Regards,

Gaurav Kansal

 

-----Original Message-----
From: Tony Finch [mailto:fanf2 at hermes.cam.ac.uk] On Behalf Of Tony Finch
Sent: Monday, March 3, 2014 3:58 AM
To: Gaurav Kansal
Cc: bind-users at lists.isc.org
Subject: Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in
dnssec-keygen

 

Gaurav Kansal < <mailto:gaurav.kansal at nic.in> gaurav.kansal at nic.in> wrote:

> 

> I have doubt in this only. What's the difference between Zone or Host ??

 

Zone keys are used for DNSSEC signing zones.

 

Host keys are used for TSIG transaction authentication, for securing zone
transfers or dynamic updates.

 

> I also want to know which algorithm is the best one on security 

> aspects for generating Keys for DNSSEC.

 

Your security is affected more by how you store the keys than anything else.
RSASHA256 is fine.

 

Tony.

--

f.anthony.n.finch  < <mailto:dot at dotat.at> dot at dotat.at>
<http://dotat.at/> http://dotat.at/

Faeroes: East or southeast 5 to 7. Rough or very rough. Rain. Moderate.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140305/46b82e71/attachment.html>


More information about the bind-users mailing list