Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen

Carsten Strotmann cas at
Thu Mar 6 07:55:28 UTC 2014

Gaurav Kansal <gaurav.kansal at> writes:

> I was wondering if HMAC* keys are not used for zone then why the same
> is displayed when we use "dnssec-keygen -h".

the tool "dnssec-keygen" can be used to create both "zone" keys (with
"-n ZONE") for DNSSEC zone signing, and "host" keys (with "-n HOST") for
TSIG signing of the communication between hosts.

Keys of type "zone" are public/private key pairs
(, whereas key of
type "host" are symmetric keys

To add to the confusion, "dnssec-keygen" generates two files when used
with "-n HOST":

shell> dnssec-keygen -a HMAC-MD5 -b 512 -n HOST
shell> ls -l*
-rw-------  1 cas  staff  124 Mar  6 08:48
-rw-------  1 cas  staff  229 Mar  6 08:48

These are symmetric TSIG keys, both files contain the same secret key
(although the filename-extensions migh indicate a public-private key

To create a DNSSEC "zone" key, use:

shell> dnssec-keygen -a RSASHA512 -b 2048 -n ZONE
Generating key pair...................+++ ..+++
shell> ls -l* 
-rw-r--r--  1 cas  staff   607 Mar  6 08:51
-rw-------  1 cas  staff  1777 Mar  6 08:51

This time the file with the extension ".key" contains the public key
(DNSKEY) resource record, and the file with the extension ".private"
contains the private key.

I agree that it might be nice to change "dnssec-keygen" to make the tool
more userfriendly. The current state-of-things is because of historic
developments in how DNSSEC came to birth.

-- Carsten

More information about the bind-users mailing list