DNS zones for my domains and managed by my servers.
The TSIG secret just has to be a random string. I use the following:
head -c $(expr 384 / 8) /dev/urandom | base64
That generates a 384-bit secret and base-64 encodes it. This ought to be long enough, as RFC2845 states that the key length should be at lesst as long as the message digest. For the algorithm, I currently use 'hmac-sha256'.
The choice of a 384-bit shared secret is mainly because it's a number that divides evenly into 8 and 6, meaning you don't get a bunch of padding at the end of the base-64 string.
For key ID generation, do:
echo $(uuidgen | tr A-Z a-z).talideon.com.
This requires dnspython to be present, which will typically be installed as a
dependency of Ansible anyway. No checks are currently performed to see if the
zone has actually changed. Something like ldns-compare-zones could be used
for this.