Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen

Carsten Strotmann cas at
Thu Mar 6 10:34:45 UTC 2014

Hi Evan,

Evan Hunt <each at> writes:

> On Thu, Mar 06, 2014 at 08:55:28AM +0100, Carsten Strotmann wrote:
>> I agree that it might be nice to change "dnssec-keygen" to make the tool
>> more userfriendly. The current state-of-things is because of historic
>> developments in how DNSSEC came to birth.
> ...and lots of people dealing with dnssec-keygen's user-unfriendliness
> by writing shell scripts to run it, which will break if we change its
> interface now.  A lot of old mistakes have gotten chiseled into stone
> by that.

there could be a hard-link from a name like "tsig-keygen" to
"dnssec-keygen" which changes the type of key created to "-n HOST". That
would not require any change to the existing interface. Just an idea.

I'm not suggesting to change the existing interface, as it will break
existing stuff.

-- Carsten

More information about the bind-users mailing list