Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen

Evan Hunt each at
Thu Mar 6 16:38:23 UTC 2014

> there could be a hard-link from a name like "tsig-keygen" to
> "dnssec-keygen" which changes the type of key created to "-n HOST". That
> would not require any change to the existing interface. Just an idea.

Thanks, Carsten. I had actually had the same thought after writing my post
last night, though I was thinking of making it a hard link to ddns-confgen
rather than dnssec-keygen.

(Question: is "ddns-confgen -q" an appropriate and useful format?
I've never understood why anybody would want TSIG keys in .key/.private
form, but there may be a use case for it that I've overlooked.)

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-users mailing list