Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen

Carsten Strotmann cas at
Thu Mar 6 18:59:46 UTC 2014

Hello Evan,

Evan Hunt <each at> writes:

>> there could be a hard-link from a name like "tsig-keygen" to
>> "dnssec-keygen" which changes the type of key created to "-n HOST". That
>> would not require any change to the existing interface. Just an idea.
> Thanks, Carsten. I had actually had the same thought after writing my post
> last night, though I was thinking of making it a hard link to ddns-confgen
> rather than dnssec-keygen.

a link to "ddns-confgen" would work well

> (Question: is "ddns-confgen -q" an appropriate and useful format?
> I've never understood why anybody would want TSIG keys in .key/.private
> form, but there may be a use case for it that I've overlooked.)

Yes, it is most useful. I do not have a use-case for the .key/.private
form (except existing scripts that expect these formats).

-- Carsten

More information about the bind-users mailing list