'tsig-keygen' vs 'dnssec-keygen' - keysize

Mark Andrews marka at isc.org
Thu Sep 6 07:29:54 UTC 2018

dnssec-keygen had -d which set the truncated bits in the .private file
for HMACs.  tsig-keygen could be extended to look for -bits with -a but
yes I meant just edit the resulting algorithm name in the file.


> On 6 Sep 2018, at 4:49 pm, Browne, Stuart <Stuart.Browne at team.neustar> wrote:
>> -----Original Message-----
>> From: Evan Hunt [mailto:each at isc.org]
>> Sent: Thursday, 6 September 2018 4:35 PM
>> To: Browne, Stuart
>> Cc: Mark Andrews; bind-users at lists.isc.org
>> Subject: Re: 'tsig-keygen' vs 'dnssec-keygen' - keysize
> <snip>
>>> Is there no cryptographic difference between the short/long output?
>> As I understand it (though I haven't studied this in a while and may be
>> fuzzy), the HMAC algorithm shortens keys that are longer than the block
>> size before it uses them, so it's true, long keys aren't necessary or
>> particularly helpful.
>>> Incidentally using bind-9.11 I was unable to use the truncation method
>>> you mentioned below (not that I really want to). Is it a 9.12 onwards
>>> thing?
>> No, but Mark's comment may have been confusing.  You can set up keys
>> that way in named.conf ("algorithm hmac-md5-96;" or whatever). At first
>> I thought he was talking about tsig-keygen; perhaps you read it the same
>> way I did?
>> --
>> Evan Hunt -- each at isc.org
>> Internet Systems Consortium, Inc.
> Yes, I did read it the same way as you Evan.
> Thanks for the clarification on the HMAC usage.
> Stuart

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list