Closed noseshimself closed 8 months ago
Thanks for the post. It seems you are asking for HMAC-SHA512. There is no such thing as HMAC-MD5 512 as per standards.
see dnssec-keygen
[ap@ns ~]$ more Kdummy.+157+21618.*
::::::::::::::
Kdummy.+157+21618.key
::::::::::::::
dummy. IN KEY 512 3 157 nKJcUDaSbCNoaBQVGqTntVUPIw36ybuh8Z7weiLlcxEis+4XjnurHWQi 9gwyhNPvW50tGpfkVznLtiQ0JcNVMQ==
::::::::::::::
Kdummy.+157+21618.private
::::::::::::::
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: nKJcUDaSbCNoaBQVGqTntVUPIw36ybuh8Z7weiLlcxEis+4XjnurHWQi9gwyhNPvW50tGpfkVznLtiQ0JcNVMQ==
Bits: AAA=
Created: 20230916125407
Publish: 20230916125407
Activate: 20230916125407
It seems there are at lease some servers requiring minimum key (due to some governance requirements) lengths and this was satisfying it.
Thanks for the details. The DNSSEC or KEY record or any other key generator is totally unrelated to TSIG.
The algorithm used in TSIG is not the key generation algorithm but how the key should be verified using HMAC (authentication). TSIG uses random key as shared secret. The shared secret for TSIG can be of any length and is totally independent of the TSIG algorithm that you select.
I really found a name server that fails on MD5 keys with fewer bits (and returned an error message indicating the key was wrong(!)). I facepalmed hard and used the standard bind tools to generate my key when I missed the option in the menu. It seems to be the recommended key size in the BIND documentation.