> On 5 Sep 2018, at 2:50 pm, Browne, Stuart via bind-users > <bind-users@lists.isc.org> wrote: > > Was adding in some new internal functionality and noted that the > 'tsig-keygen' tool doesn’t > give the ability to alter the keysize like dnssec-keygen does for generating > HMAC based tsig keys. > > I also noticed that in 9.13, dnssec-keygen will no longer be able to generate > HMAC tsig's, so > I'm wondering if the ability to manipulate the tsig keysize will be > implemented in tsig-keygen > to maintain compatibility, or if there is some work-around I've not found to > be able to set this.
There is zero point in fiddling with the key sizes of hmacs. It has no impact on the size of the HMAC in the TSIG records. It has negligible impact on the size of named.conf, nor on the size of a database if we ever get around to storing tsig keys in a database, even with 100’s of millions of keys. tsig-keygen generates maximal sized shared keys for the given algorithm which provides the largest possible search space for a brute force attack. The hmac algorithm used impacts the size of the HMAC in the TSIG record. To generate truncated hmac append “-<bits>” e.g. -128 to the algorithm name. Mark > Stuart Browne > Neustar, Inc. / Sr Systems Admin > Level 8, 10 Queens Road, Melbourne, Australia VIC 3004 > Office: +61.3.9866.3710 > stuart.browne@team.neustar / home.neustar > > Follow Neustar: LinkedIn / Twitter > > Reduce your environmental footprint. Print only if necessary. > > The information contained in this email message is intended only for the use > of the recipient(s) named above and may contain confidential and/or > privileged information. If you are not the intended recipient you have > received this email message in error and any review, dissemination, > distribution, or copying of this message is strictly prohibited. If you have > received this communication in error, please notify us immediately and delete > the original message. > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
