'tsig-keygen' vs 'dnssec-keygen' - keysize
each at isc.org
Thu Sep 6 06:34:42 UTC 2018
On Thu, Sep 06, 2018 at 04:28:23AM +0000, Browne, Stuart via bind-users wrote:
> Ok, then here goes me in my not-really-understanding HMAC properly.
> When using 'dnssec-keygen -a hmac-md5 -b 512 -n HOST some-name' (512
> being the max keysize lited in 'dnssec-keygen -h'), we end up with an 88
> byte string of secret data.
> When using 'tsig-keygen -a hmac-md5 some-name', we end up with a 24 bytes
> string of secret data.
> Is there no cryptographic difference between the short/long output?
As I understand it (though I haven't studied this in a while and may be
fuzzy), the HMAC algorithm shortens keys that are longer than the block
size before it uses them, so it's true, long keys aren't necessary or
> Incidentally using bind-9.11 I was unable to use the truncation method
> you mentioned below (not that I really want to). Is it a 9.12 onwards
No, but Mark's comment may have been confusing. You can set up keys
that way in named.conf ("algorithm hmac-md5-96;" or whatever). At first
I thought he was talking about tsig-keygen; perhaps you read it the same
way I did?
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users