'tsig-keygen' vs 'dnssec-keygen' - keysize

Mark Andrews marka at isc.org
Wed Sep 5 05:39:46 UTC 2018

> On 5 Sep 2018, at 2:50 pm, Browne, Stuart via bind-users <bind-users at lists.isc.org> wrote:
> Was adding in some new internal functionality and noted that the 'tsig-keygen' tool doesn’t
> give the ability to alter the keysize like dnssec-keygen does for generating HMAC based tsig keys.
> I also noticed that in 9.13, dnssec-keygen will no longer be able to generate HMAC tsig's, so
> I'm wondering if the ability to manipulate the tsig keysize will be implemented in tsig-keygen
> to maintain compatibility, or if there is some work-around I've not found to be able to set this.

There is zero point in fiddling with the key sizes of hmacs.  It has no impact on the size
of the HMAC in the TSIG records.  It has negligible impact on the size of named.conf, nor
on the size of a database if we ever get around to storing tsig keys in a database, even
with 100’s of millions of keys.

tsig-keygen generates maximal sized shared keys for the given algorithm which provides
the largest possible search space for a brute force attack.

The hmac algorithm used impacts the size of the HMAC in the TSIG record.  To generate
truncated hmac append “-<bits>” e.g. -128 to the algorithm name.


> Stuart Browne
> Neustar, Inc. / Sr Systems Admin
> Level 8, 10 Queens Road, Melbourne, Australia VIC 3004
> Office: +61.3.9866.3710
> stuart.browne at team.neustar / home.neustar
> Follow Neustar: LinkedIn / Twitter
> Reduce your environmental footprint. Print only if necessary.
> The information contained in this email message is intended only for the use of the recipient(s) named above and may contain confidential and/or privileged information. If you are not the intended recipient you have received this email message in error and any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately and delete the original message.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list