Replace dnssec-keygen by tsig-keygen because the former has been deprecated for creating TSIG keys.

example-dns-01-nsupdate-script.md

@@ -57,7 +57,7 @@ To avoid making your entire production DNS subject to dynamic DNS updates, then
 
 1. In your main DNS infrastructure create a delegation: `_acme-challenge.<domain>. NS <your-nameserver>.`
 2. Create a new zone `_acme-challenge.<domain>` on `<your-nameserver>`, with an empty zonefile (just an SOA and NS record), writeable by the nameserver
-3. Create a new TSIG key: `dnssec-keygen -r /dev/urandom -a hmac-sha512 -b 128 -n HOST <keyname>`
+3. Create a new TSIG key: `tsig-keygen -a sha512 <keyname>`
 4. Enable dynamic updates on the `_acme-challenge.<domain>` zone with this key
 
 e.g. for bind9:
@@ -75,7 +75,7 @@ zone "_acme-challenge.<domain>" {
 };
 ~~~
 
-This is a secure approach because each host will have its own key, and hence can only obtain certificates for those domains you have explicitly authorized it for. Use /dev/random as an argument for dnssec-keygen for key generation to increase security further.
+This is a secure approach because each host will have its own key, and hence can only obtain certificates for those domains you have explicitly authorized it for.
 
 An alternative approach is to use CNAMEs to put all your dynamic updates into a single zone.  You will need to modify the script: