'tsig-keygen' vs 'dnssec-keygen' - keysize

Browne, Stuart Stuart.Browne at team.neustar
Thu Sep 6 06:49:32 UTC 2018

> -----Original Message-----
> From: Evan Hunt [mailto:each at isc.org]
> Sent: Thursday, 6 September 2018 4:35 PM
> To: Browne, Stuart
> Cc: Mark Andrews; bind-users at lists.isc.org
> Subject: Re: 'tsig-keygen' vs 'dnssec-keygen' - keysize

> > Is there no cryptographic difference between the short/long output?
> As I understand it (though I haven't studied this in a while and may be
> fuzzy), the HMAC algorithm shortens keys that are longer than the block
> size before it uses them, so it's true, long keys aren't necessary or
> particularly helpful.
> > Incidentally using bind-9.11 I was unable to use the truncation method
> > you mentioned below (not that I really want to). Is it a 9.12 onwards
> > thing?
> No, but Mark's comment may have been confusing.  You can set up keys
> that way in named.conf ("algorithm hmac-md5-96;" or whatever). At first
> I thought he was talking about tsig-keygen; perhaps you read it the same
> way I did?
> --
> Evan Hunt -- each at isc.org
> Internet Systems Consortium, Inc.

Yes, I did read it the same way as you Evan.

Thanks for the clarification on the HMAC usage.


More information about the bind-users mailing list