Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen
Evan Hunt
each at isc.org
Thu Mar 6 08:11:15 UTC 2014
On Thu, Mar 06, 2014 at 08:55:28AM +0100, Carsten Strotmann wrote:
> I agree that it might be nice to change "dnssec-keygen" to make the tool
> more userfriendly. The current state-of-things is because of historic
> developments in how DNSSEC came to birth.
...and lots of people dealing with dnssec-keygen's user-unfriendliness
by writing shell scripts to run it, which will break if we change its
interface now. A lot of old mistakes have gotten chiseled into stone
by that.
I've long wanted to write a replacement for the zone key functions
of dnssec-keygen (or at least a sensible wrapper), so that DNSSEC
keys could be generated according to a configured policy rather
than command-line alphabet soup.
For generating host keys, I suggest "ddns-confgen" rather than
"dnssec-keygen".
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list