dnssec-keygen is partially deprecated for tsig generation

  • Mon 04 March 2019
  • misc

Yesterday, Gaige brought to my attention that dnssec-keygen(1) seems to be deprecated for TSIG purposes.

The specific quote from the man page is:

TSIG keys can also be generated by setting the value to one of HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. As with DH, specifying these values will automatically set -T KEY. Note, however, that tsig-keygen produces TSIG keys in a more useful format. These algorithms have been deprecated in dnssec-keygen, and will be removed in a future release.

So, support for all our TSIG shared secrets is going to go away and I'll have to convert to using a utility that creates output in a useful format, which can be cut and pasted directly into a configuration file, with a sane default selection of HMAC? Sign me up, but this seems a little... unusual, eh?


[root@bifrost /etc/domain/master/rs]# tsig-keygen testhost.example.org-20190304-00
key "testhost.example.org-20190304-00" {
        algorithm hmac-sha256;
        secret "MguqAW/Ea33RhBNF1CKDvRMc07EelaKS3FumqmathE4=";
[root@bifrost /etc/domain/master/rs]# 

Well, then...