dnssec-keygen had -d which set the truncated bits in the .private file for HMACs. tsig-keygen could be extended to look for -bits with -a but yes I meant just edit the resulting algorithm name in the file.
Mark > On 6 Sep 2018, at 4:49 pm, Browne, Stuart <Stuart.Browne@team.neustar> wrote: > >> >> -----Original Message----- >> From: Evan Hunt [mailto:e...@isc.org] >> Sent: Thursday, 6 September 2018 4:35 PM >> To: Browne, Stuart >> Cc: Mark Andrews; bind-users@lists.isc.org >> Subject: Re: 'tsig-keygen' vs 'dnssec-keygen' - keysize >> > <snip> > >>> Is there no cryptographic difference between the short/long output? >> >> As I understand it (though I haven't studied this in a while and may be >> fuzzy), the HMAC algorithm shortens keys that are longer than the block >> size before it uses them, so it's true, long keys aren't necessary or >> particularly helpful. >> >>> Incidentally using bind-9.11 I was unable to use the truncation method >>> you mentioned below (not that I really want to). Is it a 9.12 onwards >>> thing? >> >> No, but Mark's comment may have been confusing. You can set up keys >> that way in named.conf ("algorithm hmac-md5-96;" or whatever). At first >> I thought he was talking about tsig-keygen; perhaps you read it the same >> way I did? >> >> -- >> Evan Hunt -- e...@isc.org >> Internet Systems Consortium, Inc. > > Yes, I did read it the same way as you Evan. > > Thanks for the clarification on the HMAC usage. > > Stuart -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users