public-dns/scripts/generate_host_keys.sh

#!/bin/sh

# According to https://en.wikipedia.org/wiki/TSIG HMAC-MD5 is not very secure.
dnssec-keygen -a HMAC-SHA512 -b 512 -K ./keys/ -n HOST $1.
KEY=$(awk '$1 == "Key:" {print $2}' K$1*.private)

cat > keys/keys.conf <<EOF
key $1. {
	algorithm HMAC-SHA512;
	secret "$KEY";
};
EOF