Currently I'm using 128, is this secure enough?
dnssec-keygen -a hmac-md5 -b 128 -n host foobar.com
Also I'm not sure if "host" is the correct value for -n arg. I believe that the last argument "foobar.com" is just for the file name - right?
Asked
Active
Viewed 334 times
0
Nick Bolton
- 5,126
- 12
- 54
- 62
1 Answers
2
HMAC-XXX is capped at the number of bits. If you are using HMAC-MD5, and choose to use more than 128 bits of real random data (as generated with your example command line) it is wasted. The first thing HMAC will do is, if the key is longer than the hash function's length (MD5 in your case) it is run through the hash first, which will return 128 bits.
If your password was ASCII text, like a typed password, then longer is perhaps useful, but for your uses, 128 is the maximum you'd need.
BIND also supports other HMAC functions: HMAC-SHA1, HMAC-SHA256, and HMAC-512. For SHA1, 160 bits is the maximum useful length, SHA256 and SHA512 is 256 and 512 bits.
Note that for all practical purposes, with HMAC, MD5 is probably sufficient.
I also believe your command line is correct.
Michael Graff
- 6,668
- 1
- 24
- 36