Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen

Tony Finch dot at
Thu Mar 6 08:53:02 UTC 2014

Jason Hellenthal <jhellenthal at> wrote:
> I recall spending a LOT of time with DNSSEC figuring out all the
> nonsense but like anything else stability and friendliness has to start
> somewhere. And development should not be impeded by adoption of bad
> practices. Fix the root cause not the symptom.

dnssec-keygen actually has quite sane defaults, but unfortunately the man
page is not great at saying which options can be ignored because they are
cruft from the 1990s. It could do with better examples too.

f.anthony.n.finch  <dot at>
South Utsire, Forties: Southwesterly 5 to 7, perhaps gale 8 later. Moderate or
rough. Rain. Moderate or poor.

More information about the bind-users mailing list