DNSSEC algorithms

[Tony Finch]

Josef Moellers <jmoellers at suse.de> wrote:
>
> I'm a bit confused: genDDNSkey (or dnssec-keygen for that matter)
> apparently generates keys using "rsasha512" as the algorithm but bind
> and its utilities do not know this, they *only* know hmac-* algorithms.

I think genDDNSkey is a SuSE-specific thing?

There have been some changes in this area in BIND: dnssec-keygen used to
be a bit awkward because it would generate DNSKEY public/private pairs,
and also TSIG secrets, which are quite different things that are used in
very different ways.

Since BIND 9.9, it has been easier to use tsig-keygen and ddns-confgen to
generare TSIG keys. In 9.13, TSIG support was removed from dnssec-keygen,
so now it is just for DNSKEY (and KEY for obscure cases).

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  https://dotat.at/
The Minch: Variable 3 or less. Smooth or slight. Occasional drizzle,
fog patches at first. Moderate or good, occasionally very poor at
first.