Generating DDNS TSIG Keys for BIND

Thu 15 December 2016 by feld

The tutorials on how to generate TSIG keys for BIND DDNS updates suck. It would also be tedious if tasked to generate several. I'm not sure why ISC has not produced a standalone script or utility to make this easier as nobody should have to piece it together by hand.

I was attempting to explain to a coworker how to generate his key and when I couldn't find an easier way I decided to just write something myself. So here you go, a terrible perl script to produce HMAC-SHA256 TSIG keys. Go hog wild.

#!/usr/local/bin/perl -w
# This script is overkill, but at least it's easier than
# explaining to people how to use ddns-keygen

use warnings;
use strict;
use Digest::SHA qw(hmac_sha256_base64);
use Bytes::Random::Secure qw(random_bytes);

# As these are one-offs and we don't need a reusable secret key, we make
# both the key and the data random. 512 bytes of entropy ought to be
# enough for everybody...
my $data = random_bytes(512);
my $key  = random_bytes(512);

my $digest = hmac_sha256_base64( $data, $key );

# Fix padding of Base64 digests
while ( length($digest) % 4 ) {
    $digest .= '=';

print qq[
key "changeme" {
        algorithm hmac-sha256;
        secret "$digest";

With slightly more effort you could make the TSIG key format configurable as well as allow you to provide a key name as flags.