Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen

Jason Hellenthal jhellenthal at
Thu Mar 6 08:21:11 UTC 2014

Nothing is ever set in stone that hard. Sorry they wrote scripts for it. All apologies they decided to use Elmer's glue instead of high tensile strength super carbon based cement. They will just have to amend those temp scripts with some test cases or you can write a compatibility shim with an expiration clause with an annoying warning message.

I recall spending a LOT of time with DNSSEC figuring out all the nonsense but like anything else stability and friendliness has to start somewhere. And development should not be impeded by adoption of bad practices. Fix the root cause not the symptom.

 Jason Hellenthal

> On Mar 6, 2014, at 3:11, Evan Hunt <each at> wrote:
>> On Thu, Mar 06, 2014 at 08:55:28AM +0100, Carsten Strotmann wrote:
>> I agree that it might be nice to change "dnssec-keygen" to make the tool
>> more userfriendly. The current state-of-things is because of historic
>> developments in how DNSSEC came to birth.
> ...and lots of people dealing with dnssec-keygen's user-unfriendliness
> by writing shell scripts to run it, which will break if we change its
> interface now.  A lot of old mistakes have gotten chiseled into stone
> by that.
> I've long wanted to write a replacement for the zone key functions
> of dnssec-keygen (or at least a sensible wrapper), so that DNSSEC
> keys could be generated according to a configured policy rather
> than command-line alphabet soup.
> For generating host keys, I suggest "ddns-confgen" rather than
> "dnssec-keygen".
> -- 
> Evan Hunt -- each at
> Internet Systems Consortium, Inc.
> _______________________________________________
> Please visit to unsubscribe from this list
> bind-users mailing list
> bind-users at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6118 bytes
Desc: not available
URL: <>

More information about the bind-users mailing list