Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen

[Carsten Strotmann]

Gaurav Kansal <gaurav.kansal at nic.in> writes:


> I was wondering if HMAC* keys are not used for zone then why the same
> is displayed when we use "dnssec-keygen -h".

the tool "dnssec-keygen" can be used to create both "zone" keys (with
"-n ZONE") for DNSSEC zone signing, and "host" keys (with "-n HOST") for
TSIG signing of the communication between hosts.

Keys of type "zone" are public/private key pairs
(https://en.wikipedia.org/wiki/Public-key_cryptography), whereas key of
type "host" are symmetric keys
(https://en.wikipedia.org/wiki/Symmetric-key_algorithm). 

To add to the confusion, "dnssec-keygen" generates two files when used
with "-n HOST":

shell> dnssec-keygen -a HMAC-MD5 -b 512 -n HOST ns1.example.com
Kns1.example.com.+157+16495
shell> ls -l Kns1.example.com.+157+16495.*
-rw-------  1 cas  staff  124 Mar  6 08:48
Kns1.example.com.+157+16495.key
-rw-------  1 cas  staff  229 Mar  6 08:48
Kns1.example.com.+157+16495.private

These are symmetric TSIG keys, both files contain the same secret key
(although the filename-extensions migh indicate a public-private key
pair)!

To create a DNSSEC "zone" key, use:

shell> dnssec-keygen -a RSASHA512 -b 2048 -n ZONE example.com
Generating key pair...................+++ ..+++ 
Kexample.com.+010+18335
shell> ls -l Kexample.com.+010+18335.* 
-rw-r--r--  1 cas  staff   607 Mar  6 08:51 Kexample.com.+010+18335.key
-rw-------  1 cas  staff  1777 Mar  6 08:51
Kexample.com.+010+18335.private

This time the file with the extension ".key" contains the public key
(DNSKEY) resource record, and the file with the extension ".private"
contains the private key.

I agree that it might be nice to change "dnssec-keygen" to make the tool
more userfriendly. The current state-of-things is because of historic
developments in how DNSSEC came to birth.

-- Carsten