dnssec keygen algorithm/bitsize options

Version 1.61.1


1) As of 1.51.0, the dnssec.sh script will attempt to use RSASHA256, if it's available. Older boxes would use RSASHA1. This feature adds a directadmin.conf option: dnssec_keygen_algorithm= which by default is blank (NULL). Should you wish to use a new algorithm, you can now set it via, for example: /usr/local/directadmin/directadmin set dnssec_keygen_algorithm ECDSAP256SHA256 service directadmin restart 2) Key bitsize If you're using an algorithm that accepts bits, there is a new default internal directadmin.conf option: dnssec_keygen_keysize=2048 which can be changed to any bit-size accepted by the algorithm used. Note that the EC/curves will ignore the bitsize. Say you were using RSASHA256 and wanted 4096, type: /usr/local/directadmin/directadmin set dnssec_keygen_keysize 4096 If you wish to not have the env var passed at all to the dnssec.sh script, set the variable to 0. The valid range for directadmin.conf is 0-4096, however you should refer to: dnssec-keygen -h for all supported key sizes for the given algorithm of choice. =============== SCRIPT The dnssec.sh script will still load up it's default RSASHA256, but if the env var $dnssec_keygen_algorithm is passed and set, then the script will first confirm that it's listed in the dnssec-kegen -h output, and only once confirmed, will use it for generation. If it's not there, a message is geneated, the other RSASHA256 is used, and no error is returned. Similar behavior for the bit-size. The script defaults to 2048 and only if $dnssec_keygen_keysize is set, will it be used. ---- T26752

Interested to try DirectAdmin? Get a 30-day Free Trial!