We currently spec hmac-sha256 for rndc keys. We should consider alternate algorithms and also permitting it to be specified for bring your own bind scenarios.