dnssec-keygen man page contradictory on whether TSIG keys can be generated

Summary

At the top of the dnssec-keygen man page appears this text:

It can also generate keys for use with TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY (Transaction Key) as defined in RFC 2930.

Under the section for the -a option:

In prior releases, HMAC algorithms could be generated for use as TSIG keys, but that feature was removed in BIND 9.13.0. Use tsig-keygen to generate TSIG keys.

It looks like the top matter probably wasn’t updated when TSIG was spun out into tsig-keygen.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information