diff --git a/CHANGES b/CHANGES
index 09fce689e3..e1af721bd5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,10 @@
+3525.	[func]		Support for additional signing algorithms in rndc:
+			hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
+			The -A option to rndc-confgen can be used to
+			select the algorithm for the generated key.
+			(The default is still hmac-md5; this may
+			change in a future release.) [RT #20363]
+
 3524.	[func]		Added an alternate statistics channel in JSON format,
 			when the server is built with the json-c library:
 			http://[address]:[port]/json.  [RT #32630]
diff --git a/FAQ b/FAQ
index 9e3469ce4a..ad31e544bd 100644
--- a/FAQ
+++ b/FAQ
@@ -869,7 +869,7 @@ A: If you run Tiger(Mac OS 10.4) or later then this is all you need to do:
    Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.:
 
    key "rndc-key" {
-           algorithm hmac-md5;
+           algorithm hmac-sha256;
            secret "uvceheVuqf17ZwIcTydddw==";
    };
 
diff --git a/FAQ.xml b/FAQ.xml
index 7b21689ce9..e31fbaa1b1 100644
--- a/FAQ.xml
+++ b/FAQ.xml
@@ -30,6 +30,7 @@
       <year>2008</year>
       <year>2009</year>
       <year>2010</year>
+      <year>2013</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -1564,7 +1565,7 @@ rand_irqs="3 14 15"</programlisting>
 	<informalexample>
 	  <programlisting>
 key "rndc-key" {
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 	secret "uvceheVuqf17ZwIcTydddw==";
 };</programlisting>
 	</informalexample>
diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c
index e2ac07923a..3fd54fe2bb 100644
--- a/bin/confgen/rndc-confgen.c
+++ b/bin/confgen/rndc-confgen.c
@@ -57,7 +57,6 @@
 #include "util.h"
 #include "keygen.h"
 
-#define DEFAULT_KEYLENGTH	128		/*% Bits. */
 #define DEFAULT_KEYNAME		"rndc-key"
 #define DEFAULT_SERVER		"127.0.0.1"
 #define DEFAULT_PORT		953
@@ -80,7 +79,8 @@ Usage:\n\
  %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
 [-s addr] [-t chrootdir] [-u user]\n\
   -a:		 generate just the key clause and write it to keyfile (%s)\n\
-  -b bits:	 from 1 through 512, default %d; total length of the secret\n\
+  -A alg:	 algorithm (default hmac-md5)\n\
+  -b bits:	 from 1 through 512, default 256; total length of the secret\n\
   -c keyfile:	 specify an alternate key file (requires -a)\n\
   -k keyname:	 the name as it will be used  in named.conf and rndc.conf\n\
   -p port:	 the port named will listen on and rndc will connect to\n\
@@ -88,7 +88,7 @@ Usage:\n\
   -s addr:	 the address to which rndc should connect\n\
   -t chrootdir:	 write a keyfile in chrootdir as well (requires -a)\n\
   -u user:	 set the keyfile owner to \"user\" (requires -a)\n",
-		 progname, keydef, DEFAULT_KEYLENGTH);
+		 progname, keydef);
 
 	exit (status);
 }
@@ -103,12 +103,12 @@ main(int argc, char **argv) {
 	const char *keyname = NULL;
 	const char *randomfile = NULL;
 	const char *serveraddr = NULL;
-	dns_secalg_t alg = DST_ALG_HMACMD5;
-	const char *algname = alg_totext(alg);
+	dns_secalg_t alg;
+	const char *algname;
 	char *p;
 	int ch;
 	int port;
-	int keysize;
+	int keysize = -1;
 	struct in_addr addr4_dummy;
 	struct in6_addr addr6_dummy;
 	char *chrootdir = NULL;
@@ -124,18 +124,25 @@ main(int argc, char **argv) {
 	progname = program;
 
 	keyname = DEFAULT_KEYNAME;
-	keysize = DEFAULT_KEYLENGTH;
+	alg = DST_ALG_HMACMD5;
 	serveraddr = DEFAULT_SERVER;
 	port = DEFAULT_PORT;
 
 	isc_commandline_errprint = ISC_FALSE;
 
 	while ((ch = isc_commandline_parse(argc, argv,
-					   "ab:c:hk:Mmp:r:s:t:u:Vy")) != -1) {
+					   "aA:b:c:hk:Mmp:r:s:t:u:Vy")) != -1)
+	{
 		switch (ch) {
 		case 'a':
 			keyonly = ISC_TRUE;
 			break;
+		case 'A':
+			algname = isc_commandline_argument;
+			alg = alg_fromtext(algname);
+			if (alg == DST_ALG_UNKNOWN)
+				fatal("Unsupported algorithm '%s'", algname);
+			break;
 		case 'b':
 			keysize = strtol(isc_commandline_argument, &p, 10);
 			if (*p != '\0' || keysize < 0)
@@ -203,6 +210,10 @@ main(int argc, char **argv) {
 	if (argc > 0)
 		usage(1);
 
+	if (keysize < 0)
+		keysize = alg_bits(alg);
+	algname = alg_totext(alg);
+
 	DO("create memory context", isc_mem_create(0, 0, &mctx));
 	isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
 
diff --git a/bin/confgen/rndc-confgen.docbook b/bin/confgen/rndc-confgen.docbook
index af2cc4321d..f367b94aae 100644
--- a/bin/confgen/rndc-confgen.docbook
+++ b/bin/confgen/rndc-confgen.docbook
@@ -1,6 +1,6 @@
 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+               [<!ENTITY mdash "&#8212;">]>
 <!--
  - Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2001, 2003  Internet Software Consortium.
@@ -41,6 +41,7 @@
       <year>2005</year>
       <year>2007</year>
       <year>2009</year>
+      <year>2013</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -54,6 +55,7 @@
     <cmdsynopsis>
       <command>rndc-confgen</command>
       <arg><option>-a</option></arg>
+      <arg><option>-A <replaceable class="parameter">algorithm</replaceable></option></arg>
       <arg><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
       <arg><option>-c <replaceable class="parameter">keyfile</replaceable></option></arg>
       <arg><option>-h</option></arg>
@@ -128,12 +130,24 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>-A <replaceable class="parameter">algorithm</replaceable></term>
+        <listitem>
+          <para>
+            Specifies the algorithm to use for the TSIG key.  Available
+            choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
+            hmac-sha384 and hmac-sha512.  The default is hmac-md5.
+          </para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>-b <replaceable class="parameter">keysize</replaceable></term>
         <listitem>
           <para>
             Specifies the size of the authentication key in bits.
-            Must be between 1 and 512 bits; the default is 128.
+            Must be between 1 and 512 bits; the default is the
+            hash size.
           </para>
         </listitem>
       </varlistentry>
diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
index 7297321b51..45cbec1ef5 100644
--- a/bin/named/controlconf.c
+++ b/bin/named/controlconf.c
@@ -71,6 +71,7 @@ typedef ISC_LIST(controllistener_t) controllistenerlist_t;
 
 struct controlkey {
 	char *				keyname;
+	isc_uint32_t			algorithm;
 	isc_region_t			secret;
 	ISC_LINK(controlkey_t)		link;
 };
@@ -325,6 +326,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
 	isccc_sexpr_t *request = NULL;
 	isccc_sexpr_t *response = NULL;
 	isccc_region_t ccregion;
+	isc_uint32_t algorithm;
 	isccc_region_t secret;
 	isc_stdtime_t now;
 	isc_buffer_t b;
@@ -343,6 +345,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
 
 	conn = event->ev_arg;
 	listener = conn->listener;
+	algorithm = DST_ALG_UNKNOWN;
 	secret.rstart = NULL;
 
 	/* Is the server shutting down? */
@@ -369,7 +372,9 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
 			goto cleanup;
 		memcpy(secret.rstart, key->secret.base, key->secret.length);
 		secret.rend = secret.rstart + key->secret.length;
-		result = isccc_cc_fromwire(&ccregion, &request, &secret);
+		algorithm = key->algorithm;
+		result = isccc_cc_fromwire(&ccregion, &request,
+					   algorithm, &secret);
 		if (result == ISC_R_SUCCESS)
 			break;
 		isc_mem_put(listener->mctx, secret.rstart, REGION_SIZE(secret));
@@ -483,7 +488,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
 
 	ccregion.rstart = conn->buffer + 4;
 	ccregion.rend = conn->buffer + sizeof(conn->buffer);
-	result = isccc_cc_towire(response, &ccregion, &secret);
+	result = isccc_cc_towire(response, &ccregion, algorithm, &secret);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_response;
 	isc_buffer_init(&b, conn->buffer, 4);
@@ -696,6 +701,7 @@ controlkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx,
 		if (key == NULL)
 			goto cleanup;
 		key->keyname = newstr;
+		key->algorithm = DST_ALG_UNKNOWN;
 		key->secret.base = NULL;
 		key->secret.length = 0;
 		ISC_LINK_INIT(key, link);
@@ -740,6 +746,7 @@ register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist,
 			const cfg_obj_t *secretobj = NULL;
 			const char *algstr = NULL;
 			const char *secretstr = NULL;
+			unsigned int algtype;
 
 			(void)cfg_map_get(keydef, "algorithm", &algobj);
 			(void)cfg_map_get(keydef, "secret", &secretobj);
@@ -748,8 +755,8 @@ register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist,
 			algstr = cfg_obj_asstring(algobj);
 			secretstr = cfg_obj_asstring(secretobj);
 
-			if (ns_config_getkeyalgorithm(algstr, NULL, NULL) !=
-			    ISC_R_SUCCESS)
+			if (ns_config_getkeyalgorithm2(algstr, NULL,
+					&algtype, NULL) != ISC_R_SUCCESS)
 			{
 				cfg_obj_log(control, ns_g_lctx,
 					    ISC_LOG_WARNING,
@@ -762,6 +769,7 @@ register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist,
 				continue;
 			}
 
+			keyid->algorithm = algtype;
 			isc_buffer_init(&b, secret, sizeof(secret));
 			result = isc_base64_decodestring(secretstr, &b);
 
@@ -812,6 +820,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
 	const char *secretstr = NULL;
 	controlkey_t *keyid = NULL;
 	char secret[1024];
+	unsigned int algtype;
 	isc_buffer_t b;
 
 	CHECK(cfg_parser_create(mctx, ns_g_lctx, &pctx));
@@ -825,6 +834,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
 					cfg_obj_asstring(cfg_map_getname(key)));
 	keyid->secret.base = NULL;
 	keyid->secret.length = 0;
+	keyid->algorithm = DST_ALG_UNKNOWN;
 	ISC_LINK_INIT(keyid, link);
 	if (keyid->keyname == NULL)
 		CHECK(ISC_R_NOMEMORY);
@@ -838,7 +848,8 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
 	algstr = cfg_obj_asstring(algobj);
 	secretstr = cfg_obj_asstring(secretobj);
 
-	if (ns_config_getkeyalgorithm(algstr, NULL, NULL) != ISC_R_SUCCESS) {
+	if (ns_config_getkeyalgorithm2(algstr, NULL,
+				       &algtype, NULL) != ISC_R_SUCCESS) {
 		cfg_obj_log(key, ns_g_lctx,
 			    ISC_LOG_WARNING,
 			    "unsupported algorithm '%s' in "
@@ -848,6 +859,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
 		goto cleanup;
 	}
 
+	keyid->algorithm = algtype;
 	isc_buffer_init(&b, secret, sizeof(secret));
 	result = isc_base64_decodestring(secretstr, &b);
 
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
index 1aaa26ae8d..7c41f49ad9 100644
--- a/bin/rndc/rndc.c
+++ b/bin/rndc/rndc.c
@@ -77,6 +77,7 @@ static unsigned int remoteport = 0;
 static isc_socketmgr_t *socketmgr = NULL;
 static unsigned char databuf[2048];
 static isccc_ccmsg_t ccmsg;
+static isc_uint32_t algorithm;
 static isccc_region_t secret;
 static isc_boolean_t failed = ISC_FALSE;
 static isc_boolean_t c_flag = ISC_FALSE;
@@ -251,7 +252,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) {
 	source.rstart = isc_buffer_base(&ccmsg.buffer);
 	source.rend = isc_buffer_used(&ccmsg.buffer);
 
-	DO("parse message", isccc_cc_fromwire(&source, &response, &secret));
+	DO("parse message",
+	   isccc_cc_fromwire(&source, &response, algorithm, &secret));
 
 	data = isccc_alist_lookup(response, "_data");
 	if (data == NULL)
@@ -305,7 +307,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
 		      "* the remote server is using an older version of"
 		      " the command protocol,\n"
 		      "* this host is not authorized to connect,\n"
-		      "* the clocks are not synchronized, or\n"
+		      "* the clocks are not synchronized,\n"
+		      "* the the key signing algorithm is incorrect, or\n"
 		      "* the key is invalid.");
 
 	if (ccmsg.result != ISC_R_SUCCESS)
@@ -314,7 +317,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
 	source.rstart = isc_buffer_base(&ccmsg.buffer);
 	source.rend = isc_buffer_used(&ccmsg.buffer);
 
-	DO("parse message", isccc_cc_fromwire(&source, &response, &secret));
+	DO("parse message",
+	   isccc_cc_fromwire(&source, &response, algorithm, &secret));
 
 	_ctrl = isccc_alist_lookup(response, "_ctrl");
 	if (_ctrl == NULL)
@@ -341,7 +345,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
 	}
 	message.rstart = databuf + 4;
 	message.rend = databuf + sizeof(databuf);
-	DO("render message", isccc_cc_towire(request, &message, &secret));
+	DO("render message",
+	   isccc_cc_towire(request, &message, algorithm, &secret));
 	len = sizeof(databuf) - REGION_SIZE(message);
 	isc_buffer_init(&b, databuf, 4);
 	isc_buffer_putuint32(&b, len - 4);
@@ -403,7 +408,8 @@ rndc_connected(isc_task_t *task, isc_event_t *event) {
 		fatal("out of memory");
 	message.rstart = databuf + 4;
 	message.rend = databuf + sizeof(databuf);
-	DO("render message", isccc_cc_towire(request, &message, &secret));
+	DO("render message",
+	   isccc_cc_towire(request, &message, algorithm, &secret));
 	len = sizeof(databuf) - REGION_SIZE(message);
 	isc_buffer_init(&b, databuf, 4);
 	isc_buffer_putuint32(&b, len - 4);
@@ -483,7 +489,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
 	const cfg_obj_t *address = NULL;
 	const cfg_listelt_t *elt;
 	const char *secretstr;
-	const char *algorithm;
+	const char *algorithmstr;
 	static char secretarray[1024];
 	const cfg_type_t *conftype = &cfg_type_rndcconf;
 	isc_boolean_t key_only = ISC_FALSE;
@@ -584,10 +590,22 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
 		fatal("key must have algorithm and secret");
 
 	secretstr = cfg_obj_asstring(secretobj);
-	algorithm = cfg_obj_asstring(algorithmobj);
+	algorithmstr = cfg_obj_asstring(algorithmobj);
 
-	if (strcasecmp(algorithm, "hmac-md5") != 0)
-		fatal("unsupported algorithm: %s", algorithm);
+	if (strcasecmp(algorithmstr, "hmac-md5") == 0)
+		algorithm = ISCCC_ALG_HMACMD5;
+	else if (strcasecmp(algorithmstr, "hmac-sha1") == 0)
+		algorithm = ISCCC_ALG_HMACSHA1;
+	else if (strcasecmp(algorithmstr, "hmac-sha224") == 0)
+		algorithm = ISCCC_ALG_HMACSHA224;
+	else if (strcasecmp(algorithmstr, "hmac-sha256") == 0)
+		algorithm = ISCCC_ALG_HMACSHA256;
+	else if (strcasecmp(algorithmstr, "hmac-sha384") == 0)
+		algorithm = ISCCC_ALG_HMACSHA384;
+	else if (strcasecmp(algorithmstr, "hmac-sha512") == 0)
+		algorithm = ISCCC_ALG_HMACSHA512;
+	else
+		fatal("unsupported algorithm: %s", algorithmstr);
 
 	secret.rstart = (unsigned char *)secretarray;
 	secret.rend = (unsigned char *)secretarray + sizeof(secretarray);
diff --git a/bin/rndc/rndc.conf b/bin/rndc/rndc.conf
index 67542b91c7..c463b9662b 100644
--- a/bin/rndc/rndc.conf
+++ b/bin/rndc/rndc.conf
@@ -31,7 +31,7 @@ server localhost {
 };
 
 key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 	secret "34f88008d07deabbe65bd01f1d233d47";
 };
 
@@ -42,6 +42,6 @@ server "test1" {
 };
 
 key "key" {
-        algorithm       hmac-md5;
+        algorithm       hmac-sha256;
         secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
 };
diff --git a/bin/rndc/rndc.conf.docbook b/bin/rndc/rndc.conf.docbook
index 9de1995467..5753378d0c 100644
--- a/bin/rndc/rndc.conf.docbook
+++ b/bin/rndc/rndc.conf.docbook
@@ -40,6 +40,7 @@
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
+      <year>2013</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -119,11 +120,12 @@
     <para>
       The <option>key</option> statement begins with an identifying
       string, the name of the key.  The statement has two clauses.
-      <option>algorithm</option> identifies the encryption algorithm
+      <option>algorithm</option> identifies the authentication algorithm
       for <command>rndc</command> to use; currently only HMAC-MD5
-      is
+      (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
+      (default), HMAC-SHA384 and HMAC-SHA512 are
       supported.  This is followed by a secret clause which contains
-      the base-64 encoding of the algorithm's encryption key.  The
+      the base-64 encoding of the algorithm's authentication key.  The
       base-64 string is enclosed in double quotes.
     </para>
     <para>
@@ -166,14 +168,14 @@
     </para>
     <para><programlisting>
       key samplekey {
-        algorithm       hmac-md5;
+        algorithm       hmac-sha256;
         secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
       };
 </programlisting>
     </para>
     <para><programlisting>
       key testkey {
-        algorithm	hmac-md5;
+        algorithm	hmac-sha256;
         secret		"R3HI8P6BKw9ZwXwN3VZKuQ==";
       };
     </programlisting>
@@ -186,8 +188,8 @@
       Commands to the localhost server will use the samplekey key, which
       must also be defined in the server's configuration file with the
       same name and secret.  The key statement indicates that samplekey
-      uses the HMAC-MD5 algorithm and its secret clause contains the
-      base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
+      uses the HMAC-SHA256 algorithm and its secret clause contains the
+      base-64 encoding of the HMAC-SHA256 secret enclosed in double quotes.
     </para>
     <para>
       If <command>rndc -s testserver</command> is used then <command>rndc</command> will
diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook
index d407f2b515..e6a7e3a707 100644
--- a/bin/rndc/rndc.docbook
+++ b/bin/rndc/rndc.docbook
@@ -1,6 +1,6 @@
 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+               [<!ENTITY mdash "&#8212;">]>
 <!--
  - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
@@ -40,6 +40,7 @@
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
+      <year>2013</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -75,12 +76,14 @@
       arguments.
     </para>
     <para><command>rndc</command>
-      communicates with the name server
-      over a TCP connection, sending commands authenticated with
-      digital signatures.  In the current versions of
+      communicates with the name server over a TCP connection, sending
+      commands authenticated with digital signatures.  In the current
+      versions of
       <command>rndc</command> and <command>named</command>,
-      the only supported authentication algorithm is HMAC-MD5,
-      which uses a shared secret on each end of the connection.
+      the only supported authentication algorithms are HMAC-MD5
+      (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
+      (default), HMAC-SHA384 and HMAC-SHA512.
+      They use a shared secret on each end of the connection.
       This provides TSIG-style authentication for the command
       request and the name server's response.  All commands sent
       over the channel must be signed by a key_id known to the
@@ -144,7 +147,7 @@
             <command>rndc</command>.  If no server is supplied on the
             command line, the host named by the default-server clause
             in the options statement of the <command>rndc</command>
-	    configuration file will be used.
+            configuration file will be used.
           </para>
         </listitem>
       </varlistentry>
diff --git a/bin/tests/system/autosign/ns1/named.conf b/bin/tests/system/autosign/ns1/named.conf
index 2fbe62f6fc..e67c4e4602 100644
--- a/bin/tests/system/autosign/ns1/named.conf
+++ b/bin/tests/system/autosign/ns1/named.conf
@@ -36,7 +36,7 @@ options {
 
 key rndc_key {
         secret "1234abcd8765";
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/autosign/ns2/named.conf b/bin/tests/system/autosign/ns2/named.conf
index 5e9ad8fb8f..826bb910f7 100644
--- a/bin/tests/system/autosign/ns2/named.conf
+++ b/bin/tests/system/autosign/ns2/named.conf
@@ -37,7 +37,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/autosign/ns3/named.conf b/bin/tests/system/autosign/ns3/named.conf
index 91c3138ce4..6927d84e11 100644
--- a/bin/tests/system/autosign/ns3/named.conf
+++ b/bin/tests/system/autosign/ns3/named.conf
@@ -39,7 +39,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/cacheclean/ns2/named.conf b/bin/tests/system/cacheclean/ns2/named.conf
index cb675d2a65..6f0fba0ab9 100644
--- a/bin/tests/system/cacheclean/ns2/named.conf
+++ b/bin/tests/system/cacheclean/ns2/named.conf
@@ -34,7 +34,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/common/controls.conf b/bin/tests/system/common/controls.conf
index b5d619e87b..b9b6311638 100644
--- a/bin/tests/system/common/controls.conf
+++ b/bin/tests/system/common/controls.conf
@@ -19,7 +19,7 @@
 
 key rndc_key {
         secret "1234abcd8765";
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/common/rndc.conf b/bin/tests/system/common/rndc.conf
index 3704ae7c02..5661b262ab 100644
--- a/bin/tests/system/common/rndc.conf
+++ b/bin/tests/system/common/rndc.conf
@@ -22,6 +22,6 @@ options {
 };
 
 key rndc_key {
-        algorithm       hmac-md5;
+        algorithm       hmac-sha256;
         secret          "1234abcd8765";
 };
diff --git a/bin/tests/system/common/rndc.key b/bin/tests/system/common/rndc.key
index 1239e93c36..d5a7a9f594 100644
--- a/bin/tests/system/common/rndc.key
+++ b/bin/tests/system/common/rndc.key
@@ -18,5 +18,5 @@
 
 key rndc_key {
         secret "1234abcd8765";
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
 };
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index 9d7ee44d5d..33daafb0f2 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -36,6 +36,7 @@ DIG=$TOP/bin/dig/dig
 RNDC=$TOP/bin/rndc/rndc
 NSUPDATE=$TOP/bin/nsupdate/nsupdate
 DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
+RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen
 KEYGEN=$TOP/bin/dnssec/dnssec-keygen
 KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel
 SIGNER=$TOP/bin/dnssec/dnssec-signzone
diff --git a/bin/tests/system/database/ns1/named.conf1 b/bin/tests/system/database/ns1/named.conf1
index 08dedc8cb7..9270d56f79 100644
--- a/bin/tests/system/database/ns1/named.conf1
+++ b/bin/tests/system/database/ns1/named.conf1
@@ -20,7 +20,7 @@
 
 key rndc_key {
         secret "1234abcd8765";
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/database/ns1/named.conf2 b/bin/tests/system/database/ns1/named.conf2
index c79bf9b742..ed1bdfb2a2 100644
--- a/bin/tests/system/database/ns1/named.conf2
+++ b/bin/tests/system/database/ns1/named.conf2
@@ -20,7 +20,7 @@
 
 key rndc_key {
         secret "1234abcd8765";
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/dlv/ns5/named.conf b/bin/tests/system/dlv/ns5/named.conf
index d8863314cf..954fb37462 100644
--- a/bin/tests/system/dlv/ns5/named.conf
+++ b/bin/tests/system/dlv/ns5/named.conf
@@ -23,7 +23,7 @@
  *
  * e.g.
  *	key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
- *		algorithm hmac-md5;
+ *		algorithm hmac-sha256;
  *		secret "34f88008d07deabbe65bd01f1d233d47";
  *	}; 
  *
@@ -36,7 +36,7 @@
  */
 
 key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 	secret "34f88008d07deabbe65bd01f1d233d47";
 };
 
diff --git a/bin/tests/system/dlv/ns5/rndc.conf b/bin/tests/system/dlv/ns5/rndc.conf
index 958ee98ae3..ecc29b3a78 100644
--- a/bin/tests/system/dlv/ns5/rndc.conf
+++ b/bin/tests/system/dlv/ns5/rndc.conf
@@ -17,7 +17,7 @@
 /* $Id: rndc.conf,v 1.5 2007/06/19 23:47:02 tbox Exp $ */
 
 key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 	secret "34f88008d07deabbe65bd01f1d233d47";
 }; 
  
diff --git a/bin/tests/system/dlvauto/ns2/named.conf b/bin/tests/system/dlvauto/ns2/named.conf
index a7b86d0160..fce5d85570 100644
--- a/bin/tests/system/dlvauto/ns2/named.conf
+++ b/bin/tests/system/dlvauto/ns2/named.conf
@@ -37,7 +37,7 @@ options {
 
 key rndc_key {
         secret "1234abcd8765";
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/dlzexternal/ns1/named.conf.in b/bin/tests/system/dlzexternal/ns1/named.conf.in
index 4239658d6d..c5c6785826 100644
--- a/bin/tests/system/dlzexternal/ns1/named.conf.in
+++ b/bin/tests/system/dlzexternal/ns1/named.conf.in
@@ -33,7 +33,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 include "ddns.key";
diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf
index a23c6f872b..4b84b79ca7 100644
--- a/bin/tests/system/dnssec/ns3/named.conf
+++ b/bin/tests/system/dnssec/ns3/named.conf
@@ -37,7 +37,7 @@ options {
 
 key rndc_key {
         secret "1234abcd8765";
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/dnssec/ns4/named1.conf b/bin/tests/system/dnssec/ns4/named1.conf
index c4a220903b..a129c5e51a 100644
--- a/bin/tests/system/dnssec/ns4/named1.conf
+++ b/bin/tests/system/dnssec/ns4/named1.conf
@@ -44,7 +44,7 @@ options {
 
 key rndc_key {
         secret "1234abcd8765";
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/dnssec/ns4/named2.conf b/bin/tests/system/dnssec/ns4/named2.conf
index cc395bed78..f7e812c281 100644
--- a/bin/tests/system/dnssec/ns4/named2.conf
+++ b/bin/tests/system/dnssec/ns4/named2.conf
@@ -37,7 +37,7 @@ options {
 
 key rndc_key {
         secret "1234abcd8765";
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/dnssec/ns4/named3.conf b/bin/tests/system/dnssec/ns4/named3.conf
index 2d407407dc..d391aacd21 100644
--- a/bin/tests/system/dnssec/ns4/named3.conf
+++ b/bin/tests/system/dnssec/ns4/named3.conf
@@ -38,7 +38,7 @@ options {
 
 key rndc_key {
         secret "1234abcd8765";
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/filter-aaaa/ns1/named1.conf b/bin/tests/system/filter-aaaa/ns1/named1.conf
index 9e4e9f1600..7c02e074f1 100644
--- a/bin/tests/system/filter-aaaa/ns1/named1.conf
+++ b/bin/tests/system/filter-aaaa/ns1/named1.conf
@@ -34,7 +34,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/filter-aaaa/ns1/named2.conf b/bin/tests/system/filter-aaaa/ns1/named2.conf
index f9743b5520..aaf26e35e3 100644
--- a/bin/tests/system/filter-aaaa/ns1/named2.conf
+++ b/bin/tests/system/filter-aaaa/ns1/named2.conf
@@ -34,7 +34,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/filter-aaaa/ns2/named1.conf b/bin/tests/system/filter-aaaa/ns2/named1.conf
index 226b469220..e61c2fba42 100644
--- a/bin/tests/system/filter-aaaa/ns2/named1.conf
+++ b/bin/tests/system/filter-aaaa/ns2/named1.conf
@@ -34,7 +34,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/filter-aaaa/ns2/named2.conf b/bin/tests/system/filter-aaaa/ns2/named2.conf
index 6cb096f6d5..a4ff53c06f 100644
--- a/bin/tests/system/filter-aaaa/ns2/named2.conf
+++ b/bin/tests/system/filter-aaaa/ns2/named2.conf
@@ -34,7 +34,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/filter-aaaa/ns3/named1.conf b/bin/tests/system/filter-aaaa/ns3/named1.conf
index 83547c10f7..0d40e0651c 100644
--- a/bin/tests/system/filter-aaaa/ns3/named1.conf
+++ b/bin/tests/system/filter-aaaa/ns3/named1.conf
@@ -34,7 +34,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/filter-aaaa/ns3/named2.conf b/bin/tests/system/filter-aaaa/ns3/named2.conf
index 4e027d6f30..1d26294c4c 100644
--- a/bin/tests/system/filter-aaaa/ns3/named2.conf
+++ b/bin/tests/system/filter-aaaa/ns3/named2.conf
@@ -34,7 +34,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/filter-aaaa/ns4/named1.conf b/bin/tests/system/filter-aaaa/ns4/named1.conf
index 81e3ed1d57..7415ac0dbd 100644
--- a/bin/tests/system/filter-aaaa/ns4/named1.conf
+++ b/bin/tests/system/filter-aaaa/ns4/named1.conf
@@ -34,7 +34,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/filter-aaaa/ns4/named2.conf b/bin/tests/system/filter-aaaa/ns4/named2.conf
index 5031c51a01..d096f0c8b3 100644
--- a/bin/tests/system/filter-aaaa/ns4/named2.conf
+++ b/bin/tests/system/filter-aaaa/ns4/named2.conf
@@ -34,7 +34,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/geoip/ns2/named1.conf b/bin/tests/system/geoip/ns2/named1.conf
index 3263eb092f..fc0fb9384a 100644
--- a/bin/tests/system/geoip/ns2/named1.conf
+++ b/bin/tests/system/geoip/ns2/named1.conf
@@ -32,7 +32,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/geoip/ns2/named10.conf b/bin/tests/system/geoip/ns2/named10.conf
index 2deca77d23..e0dee5431c 100644
--- a/bin/tests/system/geoip/ns2/named10.conf
+++ b/bin/tests/system/geoip/ns2/named10.conf
@@ -32,7 +32,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/geoip/ns2/named11.conf b/bin/tests/system/geoip/ns2/named11.conf
index e5de5305ec..7933fd69b5 100644
--- a/bin/tests/system/geoip/ns2/named11.conf
+++ b/bin/tests/system/geoip/ns2/named11.conf
@@ -32,7 +32,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/geoip/ns2/named2.conf b/bin/tests/system/geoip/ns2/named2.conf
index fe79635be7..29876b8101 100644
--- a/bin/tests/system/geoip/ns2/named2.conf
+++ b/bin/tests/system/geoip/ns2/named2.conf
@@ -32,7 +32,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/geoip/ns2/named3.conf b/bin/tests/system/geoip/ns2/named3.conf
index 97010d04e1..525199e947 100644
--- a/bin/tests/system/geoip/ns2/named3.conf
+++ b/bin/tests/system/geoip/ns2/named3.conf
@@ -32,7 +32,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/geoip/ns2/named4.conf b/bin/tests/system/geoip/ns2/named4.conf
index 275f8c4f0d..093811464a 100644
--- a/bin/tests/system/geoip/ns2/named4.conf
+++ b/bin/tests/system/geoip/ns2/named4.conf
@@ -32,7 +32,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/geoip/ns2/named5.conf b/bin/tests/system/geoip/ns2/named5.conf
index d6f6f8600f..20cd56e9e0 100644
--- a/bin/tests/system/geoip/ns2/named5.conf
+++ b/bin/tests/system/geoip/ns2/named5.conf
@@ -32,7 +32,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/geoip/ns2/named6.conf b/bin/tests/system/geoip/ns2/named6.conf
index 7add649152..340754967e 100644
--- a/bin/tests/system/geoip/ns2/named6.conf
+++ b/bin/tests/system/geoip/ns2/named6.conf
@@ -32,7 +32,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/geoip/ns2/named7.conf b/bin/tests/system/geoip/ns2/named7.conf
index 41ea564f24..3ffafb7554 100644
--- a/bin/tests/system/geoip/ns2/named7.conf
+++ b/bin/tests/system/geoip/ns2/named7.conf
@@ -32,7 +32,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/geoip/ns2/named8.conf b/bin/tests/system/geoip/ns2/named8.conf
index c83de1027e..3eee0cbe94 100644
--- a/bin/tests/system/geoip/ns2/named8.conf
+++ b/bin/tests/system/geoip/ns2/named8.conf
@@ -32,7 +32,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/geoip/ns2/named9.conf b/bin/tests/system/geoip/ns2/named9.conf
index c8e40f9e81..9d4ad4f9aa 100644
--- a/bin/tests/system/geoip/ns2/named9.conf
+++ b/bin/tests/system/geoip/ns2/named9.conf
@@ -32,7 +32,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/ixfr/ns3/named.conf b/bin/tests/system/ixfr/ns3/named.conf
index c01ce546de..b164968014 100644
--- a/bin/tests/system/ixfr/ns3/named.conf
+++ b/bin/tests/system/ixfr/ns3/named.conf
@@ -31,7 +31,7 @@ options {
 
 key rndc_key {
         secret "1234abcd8765";
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/ixfr/ns4/named.conf b/bin/tests/system/ixfr/ns4/named.conf
index b8c8e8cc1c..073d1a9861 100644
--- a/bin/tests/system/ixfr/ns4/named.conf
+++ b/bin/tests/system/ixfr/ns4/named.conf
@@ -30,7 +30,7 @@ options {
 
 key rndc_key {
         secret "1234abcd8765";
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/ixfr/setup.sh b/bin/tests/system/ixfr/setup.sh
index fbe0ff2a53..653fcf86c6 100644
--- a/bin/tests/system/ixfr/setup.sh
+++ b/bin/tests/system/ixfr/setup.sh
@@ -34,7 +34,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/logfileconfig/ns1/named.dirconf b/bin/tests/system/logfileconfig/ns1/named.dirconf
index 9cbd03900c..3621c2f8e7 100644
--- a/bin/tests/system/logfileconfig/ns1/named.dirconf
+++ b/bin/tests/system/logfileconfig/ns1/named.dirconf
@@ -46,7 +46,7 @@ controls {
 };
 
 key "rndc-key" {
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
         secret "Am9vCg==";
 };
 
diff --git a/bin/tests/system/logfileconfig/ns1/named.pipeconf b/bin/tests/system/logfileconfig/ns1/named.pipeconf
index bf5d02f2cc..94c10f4710 100644
--- a/bin/tests/system/logfileconfig/ns1/named.pipeconf
+++ b/bin/tests/system/logfileconfig/ns1/named.pipeconf
@@ -46,7 +46,7 @@ controls {
 };
 
 key "rndc-key" {
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
         secret "Am9vCg==";
 };
 
diff --git a/bin/tests/system/logfileconfig/ns1/named.plain b/bin/tests/system/logfileconfig/ns1/named.plain
index 64cfbfad93..a404577a0c 100644
--- a/bin/tests/system/logfileconfig/ns1/named.plain
+++ b/bin/tests/system/logfileconfig/ns1/named.plain
@@ -46,7 +46,7 @@ controls {
 };
 
 key "rndc-key" {
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
         secret "Am9vCg==";
 };
 
diff --git a/bin/tests/system/logfileconfig/ns1/named.symconf b/bin/tests/system/logfileconfig/ns1/named.symconf
index fc3f9bdbf5..7c42619edf 100644
--- a/bin/tests/system/logfileconfig/ns1/named.symconf
+++ b/bin/tests/system/logfileconfig/ns1/named.symconf
@@ -46,7 +46,7 @@ controls {
 };
 
 key "rndc-key" {
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
         secret "Am9vCg==";
 };
 
diff --git a/bin/tests/system/logfileconfig/ns1/rndc.conf b/bin/tests/system/logfileconfig/ns1/rndc.conf
index f7fe7aae1a..2f3d0ab3a9 100644
--- a/bin/tests/system/logfileconfig/ns1/rndc.conf
+++ b/bin/tests/system/logfileconfig/ns1/rndc.conf
@@ -26,6 +26,6 @@ server localhost {
 };
 
 key "rndc-key" {
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
         secret "Am9vCg==";
 };
diff --git a/bin/tests/system/masterformat/ns3/named.conf b/bin/tests/system/masterformat/ns3/named.conf
index 5a3128336d..f3005ec576 100644
--- a/bin/tests/system/masterformat/ns3/named.conf
+++ b/bin/tests/system/masterformat/ns3/named.conf
@@ -32,7 +32,7 @@ options {
 
 key rndc_key {
         secret "1234abcd8765";
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/nsupdate/ns1/named.conf b/bin/tests/system/nsupdate/ns1/named.conf
index 3492b4cff4..86fe91d070 100644
--- a/bin/tests/system/nsupdate/ns1/named.conf
+++ b/bin/tests/system/nsupdate/ns1/named.conf
@@ -34,7 +34,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/pkcs11/ns1/named.conf b/bin/tests/system/pkcs11/ns1/named.conf
index 09a850fc41..c4b3e73e4e 100644
--- a/bin/tests/system/pkcs11/ns1/named.conf
+++ b/bin/tests/system/pkcs11/ns1/named.conf
@@ -32,7 +32,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/resolver/ns4/named.conf b/bin/tests/system/resolver/ns4/named.conf
index e23b99f1d9..9e95e72c86 100644
--- a/bin/tests/system/resolver/ns4/named.conf
+++ b/bin/tests/system/resolver/ns4/named.conf
@@ -59,7 +59,7 @@ zone "broken" {
 
 key rndc_key {
         secret "1234abcd8765";
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/rndc/clean.sh b/bin/tests/system/rndc/clean.sh
index 2fcfcfb04d..7e16cb4d66 100644
--- a/bin/tests/system/rndc/clean.sh
+++ b/bin/tests/system/rndc/clean.sh
@@ -22,3 +22,5 @@ rm -f ns2/named.stats
 rm -f ns3/named_dump.db
 rm -f ns*/named.memstats
 rm -f ns*/named.run
+rm -f random.data
+rm -f ns4/*.conf
diff --git a/bin/tests/system/rndc/ns2/named.conf b/bin/tests/system/rndc/ns2/named.conf
index 12d6f1475f..e94bfe98c1 100644
--- a/bin/tests/system/rndc/ns2/named.conf
+++ b/bin/tests/system/rndc/ns2/named.conf
@@ -29,12 +29,12 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 key secondkey {
 	secret "abcd1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/rndc/ns2/secondkey.conf b/bin/tests/system/rndc/ns2/secondkey.conf
index 99a876c0e9..044529906e 100644
--- a/bin/tests/system/rndc/ns2/secondkey.conf
+++ b/bin/tests/system/rndc/ns2/secondkey.conf
@@ -22,5 +22,5 @@ options {
 
 key secondkey {
         secret "abcd1234abcd8765";
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
 };
diff --git a/bin/tests/system/rndc/ns3/named.conf b/bin/tests/system/rndc/ns3/named.conf
index 9feefac75e..b8e07805ef 100644
--- a/bin/tests/system/rndc/ns3/named.conf
+++ b/bin/tests/system/rndc/ns3/named.conf
@@ -28,12 +28,12 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 key secondkey {
 	secret "abcd1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/rndc/ns4/named.conf.in b/bin/tests/system/rndc/ns4/named.conf.in
new file mode 100644
index 0000000000..9f926f6b33
--- /dev/null
+++ b/bin/tests/system/rndc/ns4/named.conf.in
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+controls { /* empty */ };
+
+options {
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+        recursion no;
+};
+
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
index aed84af5b7..ce80005faf 100644
--- a/bin/tests/system/rndc/setup.sh
+++ b/bin/tests/system/rndc/setup.sh
@@ -10,14 +10,36 @@
 # REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 # AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 # INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGEN
+# -r random.dataCE
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
 # $Id: setup.sh,v 1.2 2011/03/21 18:06:06 each Exp $
 
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
 sh clean.sh
 
+../../../tools/genrandom 400 random.data
+
 sh ../genzone.sh 2 >ns2/nil.db
 sh ../genzone.sh 2 >ns2/other.db
 sh ../genzone.sh 2 >ns2/static.db
+
+cat ns4/named.conf.in > ns4/named.conf
+
+make_key () {
+    $RNDCCONFGEN -r random.data -k key$1 -A $2 -s 10.53.0.4 -p 995${1} \
+            > ns4/key${1}.conf
+    egrep -v '(Start|End|Use|^[^#])' ns4/key$1.conf | cut -c3- | \
+            sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
+}
+
+make_key 1 hmac-md5
+make_key 2 hmac-sha1
+make_key 3 hmac-sha224
+make_key 4 hmac-sha256
+make_key 5 hmac-sha384
+make_key 6 hmac-sha512
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
index 584dbb896e..426b6ec1cd 100644
--- a/bin/tests/system/rndc/tests.sh
+++ b/bin/tests/system/rndc/tests.sh
@@ -253,5 +253,65 @@ done
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:testing rndc with hmac-md5"
+ret=0
+$RNDC -s 10.53.0.4 -p 9951 -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
+for i in 2 3 4 5 6
+do
+        $RNDC -s 10.53.0.4 -p 9951 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
+done
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:testing rndc with hmac-sha1"
+ret=0
+$RNDC -s 10.53.0.4 -p 9952 -c ns4/key2.conf status > /dev/null 2>&1 || ret=1
+for i in 1 3 4 5 6
+do
+        $RNDC -s 10.53.0.4 -p 9952 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
+done
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:testing rndc with hmac-sha224"
+ret=0
+$RNDC -s 10.53.0.4 -p 9953 -c ns4/key3.conf status > /dev/null 2>&1 || ret=1
+for i in 1 2 4 5 6
+do
+        $RNDC -s 10.53.0.4 -p 9953 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
+done
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:testing rndc with hmac-sha256"
+ret=0
+$RNDC -s 10.53.0.4 -p 9954 -c ns4/key4.conf status > /dev/null 2>&1 || ret=1
+for i in 1 2 3 5 6
+do
+        $RNDC -s 10.53.0.4 -p 9954 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
+done
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:testing rndc with hmac-sha384"
+ret=0
+$RNDC -s 10.53.0.4 -p 9955 -c ns4/key5.conf status > /dev/null 2>&1 || ret=1
+for i in 1 2 3 4 6
+do
+        $RNDC -s 10.53.0.4 -p 9955 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
+done
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:testing rndc with hmac-sha512"
+ret=0
+$RNDC -s 10.53.0.4 -p 9956 -c ns4/key6.conf status > /dev/null 2>&1 || ret=1
+for i in 1 2 3 4 5
+do
+        $RNDC -s 10.53.0.4 -p 9956 -c ns4/key${i}.conf status > /dev/null 2>&1 2>&1 && ret=1
+done
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status
diff --git a/bin/tests/system/rpz/ns3/named.conf b/bin/tests/system/rpz/ns3/named.conf
index 2f5c3c0482..b491354566 100644
--- a/bin/tests/system/rpz/ns3/named.conf
+++ b/bin/tests/system/rpz/ns3/named.conf
@@ -53,7 +53,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 controls {
 	inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
diff --git a/bin/tests/system/rpz/ns5/named.conf b/bin/tests/system/rpz/ns5/named.conf
index 695270c551..448084d763 100644
--- a/bin/tests/system/rpz/ns5/named.conf
+++ b/bin/tests/system/rpz/ns5/named.conf
@@ -40,7 +40,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 controls {
 	inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; };
diff --git a/bin/tests/system/rrl/ns2/named.conf b/bin/tests/system/rrl/ns2/named.conf
index 6703a2bf5d..9f2bb865db 100644
--- a/bin/tests/system/rrl/ns2/named.conf
+++ b/bin/tests/system/rrl/ns2/named.conf
@@ -45,7 +45,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 controls {
 	inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
diff --git a/bin/tests/system/staticstub/ns3/named.conf.in b/bin/tests/system/staticstub/ns3/named.conf.in
index 159a4beedb..dbf9b17f0a 100644
--- a/bin/tests/system/staticstub/ns3/named.conf.in
+++ b/bin/tests/system/staticstub/ns3/named.conf.in
@@ -32,7 +32,7 @@
 
 key rndc_key {
         secret "1234abcd8765";
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/statistics/ns3/named.conf b/bin/tests/system/statistics/ns3/named.conf
index 98f6cf5a07..82e1fbb0cb 100644
--- a/bin/tests/system/statistics/ns3/named.conf
+++ b/bin/tests/system/statistics/ns3/named.conf
@@ -35,7 +35,7 @@ options {
 
 key rndc_key {
         secret "1234abcd8765";
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/stress/ns3/named.conf b/bin/tests/system/stress/ns3/named.conf
index 9ff09d771d..f8695bc636 100644
--- a/bin/tests/system/stress/ns3/named.conf
+++ b/bin/tests/system/stress/ns3/named.conf
@@ -34,7 +34,7 @@ options {
 
 key rndc_key {
         secret "1234abcd8765";
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/tkey/ns1/named.conf.in b/bin/tests/system/tkey/ns1/named.conf.in
index 50600b784c..819b72df91 100644
--- a/bin/tests/system/tkey/ns1/named.conf.in
+++ b/bin/tests/system/tkey/ns1/named.conf.in
@@ -36,7 +36,7 @@ options {
 
 key rndc_key {
         secret "1234abcd8765";
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/tsiggss/ns1/named.conf b/bin/tests/system/tsiggss/ns1/named.conf
index 645d578d9b..3084a1b721 100644
--- a/bin/tests/system/tsiggss/ns1/named.conf
+++ b/bin/tests/system/tsiggss/ns1/named.conf
@@ -34,7 +34,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/views/ns3/named1.conf b/bin/tests/system/views/ns3/named1.conf
index 9723e08d48..8071dbffed 100644
--- a/bin/tests/system/views/ns3/named1.conf
+++ b/bin/tests/system/views/ns3/named1.conf
@@ -34,7 +34,7 @@ options {
 
 key rndc_key {
         secret "1234abcd8765";
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/views/ns3/named2.conf b/bin/tests/system/views/ns3/named2.conf
index 27d4955f72..2804059a71 100644
--- a/bin/tests/system/views/ns3/named2.conf
+++ b/bin/tests/system/views/ns3/named2.conf
@@ -34,7 +34,7 @@ options {
 
 key rndc_key {
         secret "1234abcd8765";
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/xfer/ns3/named.conf b/bin/tests/system/xfer/ns3/named.conf
index 5f742d2875..0ea4663e4a 100644
--- a/bin/tests/system/xfer/ns3/named.conf
+++ b/bin/tests/system/xfer/ns3/named.conf
@@ -34,7 +34,7 @@ options {
 
 key rndc_key {
         secret "1234abcd8765";
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/xfer/ns4/named.conf.base b/bin/tests/system/xfer/ns4/named.conf.base
index 231fcfaef6..ecab46a171 100644
--- a/bin/tests/system/xfer/ns4/named.conf.base
+++ b/bin/tests/system/xfer/ns4/named.conf.base
@@ -30,7 +30,7 @@ options {
 
 key rndc_key {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 };
 
 key unused_key. {
diff --git a/bin/tests/system/zonechecks/ns1/named.conf b/bin/tests/system/zonechecks/ns1/named.conf
index 093b4326bb..ea03d39131 100644
--- a/bin/tests/system/zonechecks/ns1/named.conf
+++ b/bin/tests/system/zonechecks/ns1/named.conf
@@ -36,7 +36,7 @@ options {
 
 key rndc_key {
         secret "1234abcd8765";
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
 };
 
 controls {
diff --git a/bin/tests/system/zonechecks/ns2/named.conf b/bin/tests/system/zonechecks/ns2/named.conf
index 27911d229b..c138647fd4 100644
--- a/bin/tests/system/zonechecks/ns2/named.conf
+++ b/bin/tests/system/zonechecks/ns2/named.conf
@@ -36,7 +36,7 @@ options {
 
 key rndc_key {
         secret "1234abcd8765";
-        algorithm hmac-md5;
+        algorithm hmac-sha256;
 };
 
 controls {
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 4472e295a2..5eab36cfe5 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -1756,8 +1756,14 @@ zone "eng.example.com" {
                   <command>algorithm</command> and <command>secret</command>.
                   While the configuration parser will accept any string as the
                   argument
-                  to algorithm, currently only the string "<userinput>hmac-md5</userinput>"
-                  has any meaning.  The secret is a base-64 encoded string
+                  to algorithm, currently only the strings
+                  "<userinput>hmac-md5</userinput>",
+                  "<userinput>hmac-sha1</userinput>",
+                  "<userinput>hmac-sha224</userinput>",
+                  "<userinput>hmac-sha256</userinput>",
+                  "<userinput>hmac-sha384</userinput>"
+                  and "<userinput>hmac-sha512</userinput>"
+                  have any meaning.  The secret is a base-64 encoded string
 		  as specified in RFC 3548.
                 </para>
 
@@ -1784,7 +1790,7 @@ zone "eng.example.com" {
 
 <programlisting>
 key rndc_key {
-     algorithm "hmac-md5";
+     algorithm "hmac-sha256";
      secret
        "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
 };
diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
index 07f8157b0a..e621cc87cd 100644
--- a/lib/isccc/cc.c
+++ b/lib/isccc/cc.c
@@ -41,6 +41,7 @@
 
 #include <isc/assertions.h>
 #include <isc/hmacmd5.h>
+#include <isc/hmacsha.h>
 #include <isc/print.h>
 #include <isc/stdlib.h>
 
@@ -77,6 +78,34 @@ static unsigned char auth_hmd5[] = {
 #define HMD5_OFFSET	21		/*%< 21 = 6 + 1 + 4 + 5 + 1 + 4 */
 #define HMD5_LENGTH	22
 
+static unsigned char auth_hsha[] = {
+	0x05, 0x5f, 0x61, 0x75, 0x74, 0x68,		/*%< len + _auth */
+	ISCCC_CCMSGTYPE_TABLE,				/*%< message type */
+	0x00, 0x00, 0x00, 0x63,				/*%< length == 99 */
+	0x04, 0x68, 0x73, 0x68, 0x61,			/*%< len + hsha */
+	ISCCC_CCMSGTYPE_BINARYDATA,			/*%< message type */
+	0x00, 0x00, 0x00, 0x59,				/*%< length == 89 */
+	0x00,						/*%< algorithm */
+	/*
+	 * The base64 encoding of one of our HMAC-SHA* signatures is
+	 * 88 bytes.
+	 */
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+#define HSHA_OFFSET	22		/*%< 21 = 6 + 1 + 4 + 5 + 1 + 4 + 1 */
+#define HSHA_LENGTH	88
+
 static isc_result_t
 table_towire(isccc_sexpr_t *alist, isccc_region_t *target);
 
@@ -204,53 +233,133 @@ list_towire(isccc_sexpr_t *list, isccc_region_t *target)
 }
 
 static isc_result_t
-sign(unsigned char *data, unsigned int length, unsigned char *hmd5,
-     isccc_region_t *secret)
+sign(unsigned char *data, unsigned int length, unsigned char *hmac,
+     isc_uint32_t algorithm, isccc_region_t *secret)
 {
-	isc_hmacmd5_t ctx;
+	union {
+		isc_hmacmd5_t hmd5;
+		isc_hmacsha1_t hsha;
+		isc_hmacsha224_t h224;
+		isc_hmacsha256_t h256;
+		isc_hmacsha384_t h384;
+		isc_hmacsha512_t h512;
+	} ctx;
 	isc_result_t result;
 	isccc_region_t source, target;
-	unsigned char digest[ISC_MD5_DIGESTLENGTH];
-	unsigned char digestb64[ISC_MD5_DIGESTLENGTH * 4];
+	unsigned char digest[ISC_SHA512_DIGESTLENGTH];
+	unsigned char digestb64[HSHA_LENGTH + 4];
 
-	isc_hmacmd5_init(&ctx, secret->rstart, REGION_SIZE(*secret));
-	isc_hmacmd5_update(&ctx, data, length);
-	isc_hmacmd5_sign(&ctx, digest);
 	source.rstart = digest;
-	source.rend = digest + ISC_MD5_DIGESTLENGTH;
+
+	switch (algorithm) {
+	case ISCCC_ALG_HMACMD5:
+		isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
+				 REGION_SIZE(*secret));
+		isc_hmacmd5_update(&ctx.hmd5, data, length);
+		isc_hmacmd5_sign(&ctx.hmd5, digest);
+		source.rend = digest + ISC_MD5_DIGESTLENGTH;
+		break;
+
+	case ISCCC_ALG_HMACSHA1:
+		isc_hmacsha1_init(&ctx.hsha, secret->rstart,
+				    REGION_SIZE(*secret));
+		isc_hmacsha1_update(&ctx.hsha, data, length);
+		isc_hmacsha1_sign(&ctx.hsha, digest,
+				    ISC_SHA1_DIGESTLENGTH);
+		source.rend = digest + ISC_SHA1_DIGESTLENGTH;
+		break;
+
+	case ISCCC_ALG_HMACSHA224:
+		isc_hmacsha224_init(&ctx.h224, secret->rstart,
+				    REGION_SIZE(*secret));
+		isc_hmacsha224_update(&ctx.h224, data, length);
+		isc_hmacsha224_sign(&ctx.h224, digest,
+				    ISC_SHA224_DIGESTLENGTH);
+		source.rend = digest + ISC_SHA224_DIGESTLENGTH;
+		break;
+
+	case ISCCC_ALG_HMACSHA256:
+		isc_hmacsha256_init(&ctx.h256, secret->rstart,
+				    REGION_SIZE(*secret));
+		isc_hmacsha256_update(&ctx.h256, data, length);
+		isc_hmacsha256_sign(&ctx.h256, digest,
+				    ISC_SHA256_DIGESTLENGTH);
+		source.rend = digest + ISC_SHA256_DIGESTLENGTH;
+		break;
+
+	case ISCCC_ALG_HMACSHA384:
+		isc_hmacsha384_init(&ctx.h384, secret->rstart,
+				    REGION_SIZE(*secret));
+		isc_hmacsha384_update(&ctx.h384, data, length);
+		isc_hmacsha384_sign(&ctx.h384, digest,
+				    ISC_SHA384_DIGESTLENGTH);
+		source.rend = digest + ISC_SHA384_DIGESTLENGTH;
+		break;
+
+	case ISCCC_ALG_HMACSHA512:
+		isc_hmacsha512_init(&ctx.h512, secret->rstart,
+				    REGION_SIZE(*secret));
+		isc_hmacsha512_update(&ctx.h512, data, length);
+		isc_hmacsha512_sign(&ctx.h512, digest,
+				    ISC_SHA512_DIGESTLENGTH);
+		source.rend = digest + ISC_SHA512_DIGESTLENGTH;
+		break;
+
+	default:
+		return (ISC_R_FAILURE);
+	}
+
+	memset(digestb64, 0, sizeof(digestb64));
 	target.rstart = digestb64;
-	target.rend = digestb64 + ISC_MD5_DIGESTLENGTH * 4;
+	target.rend = digestb64 + sizeof(digestb64);
 	result = isccc_base64_encode(&source, 64, "", &target);
 	if (result != ISC_R_SUCCESS)
 		return (result);
-	PUT_MEM(digestb64, HMD5_LENGTH, hmd5);
-
+	if (algorithm == ISCCC_ALG_HMACMD5)
+		PUT_MEM(digestb64, HMD5_LENGTH, hmac);
+	else
+		PUT_MEM(digestb64, HSHA_LENGTH, hmac);
 	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
 isccc_cc_towire(isccc_sexpr_t *alist, isccc_region_t *target,
-	      isccc_region_t *secret)
+		isc_uint32_t algorithm, isccc_region_t *secret)
 {
-	unsigned char *hmd5_rstart, *signed_rstart;
+	unsigned char *hmac_rstart, *signed_rstart;
 	isc_result_t result;
 
-	if (REGION_SIZE(*target) < 4 + sizeof(auth_hmd5))
-		return (ISC_R_NOSPACE);
+	if (algorithm == ISCCC_ALG_HMACMD5) {
+		if (REGION_SIZE(*target) < 4 + sizeof(auth_hmd5))
+			return (ISC_R_NOSPACE);
+	} else {
+		if (REGION_SIZE(*target) < 4 + sizeof(auth_hsha))
+			return (ISC_R_NOSPACE);
+	}
+
 	/*
 	 * Emit protocol version.
 	 */
 	PUT32(1, target->rstart);
 	if (secret != NULL) {
 		/*
-		 * Emit _auth section with zeroed HMAC-MD5 signature.
+		 * Emit _auth section with zeroed HMAC signature.
 		 * We'll replace the zeros with the real signature once
 		 * we know what it is.
 		 */
-		hmd5_rstart = target->rstart + HMD5_OFFSET;
-		PUT_MEM(auth_hmd5, sizeof(auth_hmd5), target->rstart);
+		if (algorithm == ISCCC_ALG_HMACMD5) {
+			hmac_rstart = target->rstart + HMD5_OFFSET;
+			PUT_MEM(auth_hmd5, sizeof(auth_hmd5), target->rstart);
+		} else {
+			unsigned char *hmac_alg;
+
+			hmac_rstart = target->rstart + HSHA_OFFSET;
+			hmac_alg = hmac_rstart - 1;
+			PUT_MEM(auth_hsha, sizeof(auth_hsha), target->rstart);
+			PUT8(algorithm, hmac_alg);
+		}
 	} else
-		hmd5_rstart = NULL;
+		hmac_rstart = NULL;
 	signed_rstart = target->rstart;
 	/*
 	 * Delete any existing _auth section so that we don't try
@@ -265,21 +374,28 @@ isccc_cc_towire(isccc_sexpr_t *alist, isccc_region_t *target,
 		return (result);
 	if (secret != NULL)
 		return (sign(signed_rstart, (target->rstart - signed_rstart),
-			     hmd5_rstart, secret));
+			     hmac_rstart, algorithm, secret));
 	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
 verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
-       isccc_region_t *secret)
+       isc_uint32_t algorithm, isccc_region_t *secret)
 {
-	isc_hmacmd5_t ctx;
+	union {
+		isc_hmacmd5_t hmd5;
+		isc_hmacsha1_t hsha;
+		isc_hmacsha224_t h224;
+		isc_hmacsha256_t h256;
+		isc_hmacsha384_t h384;
+		isc_hmacsha512_t h512;
+	} ctx;
 	isccc_region_t source;
 	isccc_region_t target;
 	isc_result_t result;
-	isccc_sexpr_t *_auth, *hmd5;
-	unsigned char digest[ISC_MD5_DIGESTLENGTH];
-	unsigned char digestb64[ISC_MD5_DIGESTLENGTH * 4];
+	isccc_sexpr_t *_auth, *hmac;
+	unsigned char digest[ISC_SHA512_DIGESTLENGTH];
+	unsigned char digestb64[HSHA_LENGTH * 4];
 
 	/*
 	 * Extract digest.
@@ -287,39 +403,107 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
 	_auth = isccc_alist_lookup(alist, "_auth");
 	if (_auth == NULL)
 		return (ISC_R_FAILURE);
-	hmd5 = isccc_alist_lookup(_auth, "hmd5");
-	if (hmd5 == NULL)
+	if (algorithm == ISCCC_ALG_HMACMD5)
+		hmac = isccc_alist_lookup(_auth, "hmd5");
+	else
+		hmac = isccc_alist_lookup(_auth, "hsha");
+	if (hmac == NULL)
 		return (ISC_R_FAILURE);
 	/*
 	 * Compute digest.
 	 */
-	isc_hmacmd5_init(&ctx, secret->rstart, REGION_SIZE(*secret));
-	isc_hmacmd5_update(&ctx, data, length);
-	isc_hmacmd5_sign(&ctx, digest);
 	source.rstart = digest;
-	source.rend = digest + ISC_MD5_DIGESTLENGTH;
 	target.rstart = digestb64;
-	target.rend = digestb64 + ISC_MD5_DIGESTLENGTH * 4;
+	switch (algorithm) {
+	case ISCCC_ALG_HMACMD5:
+		isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
+				 REGION_SIZE(*secret));
+		isc_hmacmd5_update(&ctx.hmd5, data, length);
+		isc_hmacmd5_sign(&ctx.hmd5, digest);
+		source.rend = digest + ISC_MD5_DIGESTLENGTH;
+		break;
+
+	case ISCCC_ALG_HMACSHA1:
+		isc_hmacsha1_init(&ctx.hsha, secret->rstart,
+				    REGION_SIZE(*secret));
+		isc_hmacsha1_update(&ctx.hsha, data, length);
+		isc_hmacsha1_sign(&ctx.hsha, digest,
+				    ISC_SHA1_DIGESTLENGTH);
+		source.rend = digest + ISC_SHA1_DIGESTLENGTH;
+		break;
+
+	case ISCCC_ALG_HMACSHA224:
+		isc_hmacsha224_init(&ctx.h224, secret->rstart,
+				    REGION_SIZE(*secret));
+		isc_hmacsha224_update(&ctx.h224, data, length);
+		isc_hmacsha224_sign(&ctx.h224, digest,
+				    ISC_SHA224_DIGESTLENGTH);
+		source.rend = digest + ISC_SHA224_DIGESTLENGTH;
+		break;
+
+	case ISCCC_ALG_HMACSHA256:
+		isc_hmacsha256_init(&ctx.h256, secret->rstart,
+				    REGION_SIZE(*secret));
+		isc_hmacsha256_update(&ctx.h256, data, length);
+		isc_hmacsha256_sign(&ctx.h256, digest,
+				    ISC_SHA256_DIGESTLENGTH);
+		source.rend = digest + ISC_SHA256_DIGESTLENGTH;
+		break;
+
+	case ISCCC_ALG_HMACSHA384:
+		isc_hmacsha384_init(&ctx.h384, secret->rstart,
+				    REGION_SIZE(*secret));
+		isc_hmacsha384_update(&ctx.h384, data, length);
+		isc_hmacsha384_sign(&ctx.h384, digest,
+				    ISC_SHA384_DIGESTLENGTH);
+		source.rend = digest + ISC_SHA384_DIGESTLENGTH;
+		break;
+
+	case ISCCC_ALG_HMACSHA512:
+		isc_hmacsha512_init(&ctx.h512, secret->rstart,
+				    REGION_SIZE(*secret));
+		isc_hmacsha512_update(&ctx.h512, data, length);
+		isc_hmacsha512_sign(&ctx.h512, digest,
+				    ISC_SHA512_DIGESTLENGTH);
+		source.rend = digest + ISC_SHA512_DIGESTLENGTH;
+		break;
+
+	default:
+		return (ISC_R_FAILURE);
+	}
+ 	target.rstart = digestb64;
+	target.rend = digestb64 + sizeof(digestb64);
+	memset(digestb64, 0, sizeof(digestb64));
 	result = isccc_base64_encode(&source, 64, "", &target);
 	if (result != ISC_R_SUCCESS)
 		return (result);
-	/*
-	 * Strip trailing == and NUL terminate target.
-	 */
-	target.rstart -= 2;
-	*target.rstart++ = '\0';
+
 	/*
 	 * Verify.
 	 */
-	if (strcmp((char *)digestb64, isccc_sexpr_tostring(hmd5)) != 0)
-		return (ISCCC_R_BADAUTH);
+	if (algorithm == ISCCC_ALG_HMACMD5) {
+		unsigned char *value;
+
+		value = (unsigned char *) isccc_sexpr_tostring(hmac);
+		if (memcmp(value, digestb64, HMD5_LENGTH) != 0)
+			return (ISCCC_R_BADAUTH);
+	} else {
+		unsigned char *value;
+		isc_uint32_t valalg;
+
+		value = (unsigned char *) isccc_sexpr_tostring(hmac);
+		GET8(valalg, value);
+		if ((valalg != algorithm) ||
+		    (memcmp(value, digestb64, HSHA_LENGTH) != 0))
+			return (ISCCC_R_BADAUTH);
+	}
 
 	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
 table_fromwire(isccc_region_t *source, isccc_region_t *secret,
-	       isccc_sexpr_t **alistp);
+	       isc_uint32_t algorithm, isccc_sexpr_t **alistp);
 
 static isc_result_t
 list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp);
@@ -350,7 +534,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep)
 		} else
 			result = ISC_R_NOMEMORY;
 	} else if (msgtype == ISCCC_CCMSGTYPE_TABLE)
-		result = table_fromwire(&active, NULL, valuep);
+		result = table_fromwire(&active, NULL, 0, valuep);
 	else if (msgtype == ISCCC_CCMSGTYPE_LIST)
 		result = list_fromwire(&active, valuep);
 	else
@@ -361,7 +545,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep)
 
 static isc_result_t
 table_fromwire(isccc_region_t *source, isccc_region_t *secret,
-	       isccc_sexpr_t **alistp)
+	       isc_uint32_t algorithm, isccc_sexpr_t **alistp)
 {
 	char key[256];
 	isc_uint32_t len;
@@ -403,7 +587,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
 		if (checksum_rstart != NULL)
 			result = verify(alist, checksum_rstart,
 					(source->rend - checksum_rstart),
-					secret);
+					algorithm, secret);
 		else
 			result = ISCCC_R_BADAUTH;
 	} else
@@ -446,7 +630,7 @@ list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp)
 
 isc_result_t
 isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
-		isccc_region_t *secret)
+		  isc_uint32_t algorithm, isccc_region_t *secret)
 {
 	unsigned int size;
 	isc_uint32_t version;
@@ -458,7 +642,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
 	if (version != 1)
 		return (ISCCC_R_UNKNOWNVERSION);
 
-	return (table_fromwire(source, secret, alistp));
+	return (table_fromwire(source, secret, algorithm, alistp));
 }
 
 static isc_result_t
@@ -521,8 +705,8 @@ createmessage(isc_uint32_t version, const char *from, const char *to,
 
 isc_result_t
 isccc_cc_createmessage(isc_uint32_t version, const char *from, const char *to,
-		     isc_uint32_t serial, isccc_time_t now,
-		     isccc_time_t expires, isccc_sexpr_t **alistp)
+		       isc_uint32_t serial, isccc_time_t now,
+		       isccc_time_t expires, isccc_sexpr_t **alistp)
 {
 	return (createmessage(version, from, to, serial, now, expires,
 			      alistp, ISC_TRUE));
@@ -530,7 +714,7 @@ isccc_cc_createmessage(isc_uint32_t version, const char *from, const char *to,
 
 isc_result_t
 isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
-		 isccc_sexpr_t **ackp)
+		   isccc_sexpr_t **ackp)
 {
 	char *_frm, *_to;
 	isc_uint32_t serial;
@@ -608,7 +792,7 @@ isccc_cc_isreply(isccc_sexpr_t *message)
 
 isc_result_t
 isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
-		      isccc_time_t expires, isccc_sexpr_t **alistp)
+			isccc_time_t expires, isccc_sexpr_t **alistp)
 {
 	char *_frm, *_to, *type = NULL;
 	isc_uint32_t serial;
@@ -718,7 +902,7 @@ isccc_cc_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp)
 
 isc_result_t
 isccc_cc_lookupuint32(isccc_sexpr_t *alist, const char *key,
-		       isc_uint32_t *uintp)
+		      isc_uint32_t *uintp)
 {
 	isccc_sexpr_t *kv, *v;
 
@@ -796,7 +980,7 @@ has_whitespace(const char *str)
 
 isc_result_t
 isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
-		isccc_time_t now)
+		  isccc_time_t now)
 {
 	const char *_frm;
 	const char *_to;
diff --git a/lib/isccc/include/isccc/cc.h b/lib/isccc/include/isccc/cc.h
index 79393be7b1..777e675a3f 100644
--- a/lib/isccc/include/isccc/cc.h
+++ b/lib/isccc/include/isccc/cc.h
@@ -41,6 +41,16 @@
 
 ISC_LANG_BEGINDECLS
 
+/*% from lib/dns/include/dst/dst.h */
+
+#define ISCCC_ALG_UNKNOWN	0
+#define ISCCC_ALG_HMACMD5	157
+#define ISCCC_ALG_HMACSHA1	161
+#define ISCCC_ALG_HMACSHA224	162
+#define ISCCC_ALG_HMACSHA256	163
+#define ISCCC_ALG_HMACSHA384	164
+#define ISCCC_ALG_HMACSHA512	165
+
 /*% Maximum Datagram Package */
 #define ISCCC_CC_MAXDGRAMPACKET		4096
 
@@ -56,23 +66,23 @@ ISC_LANG_BEGINDECLS
 /*% Send to Wire */
 isc_result_t
 isccc_cc_towire(isccc_sexpr_t *alist, isccc_region_t *target,
-	      isccc_region_t *secret);
+		isc_uint32_t algorithm, isccc_region_t *secret);
 
 /*% Get From Wire */
 isc_result_t
 isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
-		isccc_region_t *secret);
+		  isc_uint32_t algorithm, isccc_region_t *secret);
 
 /*% Create Message */
 isc_result_t
 isccc_cc_createmessage(isc_uint32_t version, const char *from, const char *to,
-		     isc_uint32_t serial, isccc_time_t now,
-		     isccc_time_t expires, isccc_sexpr_t **alistp);
+		       isc_uint32_t serial, isccc_time_t now,
+		       isccc_time_t expires, isccc_sexpr_t **alistp);
 
 /*% Create Acknowledgment */
 isc_result_t
 isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
-		 isccc_sexpr_t **ackp);
+		   isccc_sexpr_t **ackp);
 
 /*% Is Ack? */
 isc_boolean_t
@@ -85,7 +95,7 @@ isccc_cc_isreply(isccc_sexpr_t *message);
 /*% Create Response */
 isc_result_t
 isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
-		      isccc_time_t expires, isccc_sexpr_t **alistp);
+			isccc_time_t expires, isccc_sexpr_t **alistp);
 
 /*% Define String */
 isccc_sexpr_t *
@@ -102,7 +112,7 @@ isccc_cc_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp);
 /*% Lookup uint 32 */
 isc_result_t
 isccc_cc_lookupuint32(isccc_sexpr_t *alist, const char *key,
-		    isc_uint32_t *uintp);
+		      isc_uint32_t *uintp);
 
 /*% Create Symbol Table */
 isc_result_t
@@ -115,7 +125,7 @@ isccc_cc_cleansymtab(isccc_symtab_t *symtab, isccc_time_t now);
 /*% Check for Duplicates */
 isc_result_t
 isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
-		   isccc_time_t now);
+		  isccc_time_t now);
 
 ISC_LANG_ENDDECLS
 
diff --git a/win32utils/readme1st.txt b/win32utils/readme1st.txt
index aaed552212..8e3817bbf2 100644
--- a/win32utils/readme1st.txt
+++ b/win32utils/readme1st.txt
@@ -80,7 +80,7 @@ statement into named.conf.
 
 The additions look like the following:
 
-key "rndc-key" { algorithm hmac-md5; secret "xxxxxxxxx=="; };
+key "rndc-key" { algorithm hmac-sha256; secret "xxxxxxxxx=="; };
 
 controls {
 	inet 127.0.0.1 port 953 allow { localhost; } keys { "rndc-key"; };