Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen

Phil Mayers p.mayers at
Thu Mar 6 09:07:06 UTC 2014

On 06/03/14 08:53, Tony Finch wrote:
> Jason Hellenthal <jhellenthal at> wrote:
>> I recall spending a LOT of time with DNSSEC figuring out all the
>> nonsense but like anything else stability and friendliness has to start
>> somewhere. And development should not be impeded by adoption of bad
>> practices. Fix the root cause not the symptom.
> dnssec-keygen actually has quite sane defaults, but unfortunately the man

Agreed. The first couple of times you figure the options takes a bit of 
time, but once you've done that, dnssec-keygen is really quite inoffensive.

Frankly there are a bucketload of Unix tools whose more esoteric 
behaviour I've never bothered to memorise; the key is for help and man 
pages to be sane. I'm constantly doing "man find"...

More information about the bind-users mailing list