diff --git a/example-dns-01-nsupdate-script.md b/example-dns-01-nsupdate-script.md
index 3bca000..97436f4 100644
--- a/example-dns-01-nsupdate-script.md
+++ b/example-dns-01-nsupdate-script.md
@@ -48,7 +48,7 @@ The file `/path/to/Kdnsupdatekey.private` looks like this:
 
 ```
 key "<keyname>" {
-  algorithm hmac-md5;
+  algorithm hmac-sha512;
   secret "<key>";
 };
 ```
@@ -57,14 +57,14 @@ To avoid making your entire production DNS subject to dynamic DNS updates, then
 
 1. In your main DNS infrastructure create a delegation: `_acme-challenge.<domain>. NS <your-nameserver>.`
 2. Create a new zone `_acme-challenge.<domain>` on `<your-nameserver>`, with an empty zonefile (just an SOA and NS record), writeable by the nameserver
-3. Create a new TSIG key: `dnssec-keygen -r /dev/urandom -a hmac-md5 -b 128 -n HOST <keyname>`
+3. Create a new TSIG key: `dnssec-keygen -r /dev/urandom -a hmac-sha512 -b 128 -n HOST <keyname>`
 4. Enable dynamic updates on the `_acme-challenge.<domain>` zone with this key
 
 e.g. for bind9:
 
 ~~~
 key "<keyname>" {
-  algorithm hmac-md5;
+  algorithm hmac-sha512;
   secret "<key>";
 };
 zone "_acme-challenge.<domain>" {