# dnssec-keygen doesn't support HMAC-SHA256



## darkemon (Oct 22, 2019)

Hello!
I use:
isc-dhcp44-server-4.4.1_4
bind911-9.11.11
bind-tools-9.14.6

At the moment I can't configure auto updating of zones from dhcpd because I can't generate secret key with appropriate algorithm via dnssec-keygen.
The DHCP server currently supports the following algorithms:
HMAC-MD5
HMAC-SHA1
HMAC-SHA224
HMAC-SHA256
HMAC-SHA384
HMAC-SHA512

But dnssec-keygen doesn't support them.
What can I do to solve this problem?


----------



## SirDice (Oct 22, 2019)

Use rndc-confgen(8) to generate the RNDC key. Write it to a file and you can include it in named.conf and dhcpd.conf (assuming they both run on the same machine). 


```
dice@maelcum:~ % cat /usr/local/etc/namedb/ddns-key
key "ddns-key" {
        algorithm hmac-sha256;
        secret "<mysupersecretkey>";
};
```
In named.conf:

```
include "/usr/local/etc/namedb/ddns-key";
...
        zone "example.com" {
                type master;
                notify no;
                check-names ignore;
                file "/usr/local/etc/namedb/dynamic/example.com";
                allow-update { ::1; 127.0.0.1; key ddns-key; };
        };
```
And dhcpd.conf:

```
include "/usr/local/etc/namedb/ddns-key";
...
zone example.com. {
        primary 127.0.0.1;
        key ddns-key;
}
```


----------



## darkemon (Oct 22, 2019)

SirDice said:


> Use rndc-confgen(8) to generate the RNDC key. Write it to a file and you can include it in named.conf and dhcpd.conf (assuming they both run on the same machine).
> 
> 
> ```
> ...


It helped, thank you!


----------

