Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen

Evan Hunt each at
Thu Mar 6 08:11:15 UTC 2014

On Thu, Mar 06, 2014 at 08:55:28AM +0100, Carsten Strotmann wrote:
> I agree that it might be nice to change "dnssec-keygen" to make the tool
> more userfriendly. The current state-of-things is because of historic
> developments in how DNSSEC came to birth.

...and lots of people dealing with dnssec-keygen's user-unfriendliness
by writing shell scripts to run it, which will break if we change its
interface now.  A lot of old mistakes have gotten chiseled into stone
by that.

I've long wanted to write a replacement for the zone key functions
of dnssec-keygen (or at least a sensible wrapper), so that DNSSEC
keys could be generated according to a configured policy rather
than command-line alphabet soup.

For generating host keys, I suggest "ddns-confgen" rather than

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-users mailing list