Commit 5fbc5c92 authored by Tinderbox User's avatar Tinderbox User
Browse files

regen master

parent 791aa3e9
......@@ -177,13 +177,17 @@ indicating the progress of the key generation\&. A \*(Aq\&.\*(Aq indicates that
.PP
\-r \fIrandomdev\fR
.RS 4
Specifies the source of randomness\&. If the operating system does not provide a
/dev/random
or equivalent device, the default source of randomness is keyboard input\&.
Specifies a source of randomness\&. Normally, when generating DNSSEC keys, this option has no effect; the random number generation function provided by the cryptographic library will be used\&.
.sp
If that behavior is disabled at compile time, however, the specified file will be used as entropy source for key generation\&.
randomdev
specifies the name of a character device or file containing random data to be used instead of the default\&. The special value
is the name of a character device or file containing random data to be used\&. The special value
keyboard
indicates that keyboard input should be used\&.
.sp
The default is
/dev/random
if the operating system provides it or an equivalent device; if not, the default source of randomness is keyboard input\&.
.RE
.PP
\-S \fIkey\fR
......
......@@ -280,15 +280,23 @@
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
<dd>
<p>
Specifies the source of randomness. If the operating
system does not provide a <code class="filename">/dev/random</code>
or equivalent device, the default source of randomness
is keyboard input. <code class="filename">randomdev</code>
specifies
Specifies a source of randomness. Normally, when generating
DNSSEC keys, this option has no effect; the random number
generation function provided by the cryptographic library will
be used.
</p>
<p>
If that behavior is disabled at compile time, however,
the specified file will be used as entropy source
for key generation. <code class="filename">randomdev</code> is
the name of a character device or file containing random
data to be used instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard
input should be used.
data to be used. The special value <code class="filename">keyboard</code>
indicates that keyboard input should be used.
</p>
<p>
The default is <code class="filename">/dev/random</code> if the
operating system provides it or an equivalent device;
if not, the default source of randomness is keyboard input.
</p>
</dd>
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
......
......@@ -3262,22 +3262,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<dt><span class="term"><span class="command"><strong>random-device</strong></span></span></dt>
<dd>
<p>
The source of entropy to be used by the server. Entropy is
primarily needed
for DNSSEC operations, such as TKEY transactions and dynamic
update of signed
zones. This options specifies the device (or file) from which
to read
entropy. If this is a file, operations requiring entropy will
fail when the
file has been exhausted. If not specified, the default value
is
<code class="filename">/dev/random</code>
(or equivalent) when present, and none otherwise. The
<span class="command"><strong>random-device</strong></span> option takes
effect during
the initial configuration load at server startup time and
is ignored on subsequent reloads.
Specifies a source of entropy to be used by the server.
This is a device or file from which to read entropy.
If it is a file, operations requiring entropy
will fail when the file has been exhausted.
</p>
<p>
Entropy is needed for cryptographic operations such as
TKEY transactions, dynamic update of signed zones, and
generation of TSIG session keys. It is also used for
seeding and stirring the pseudo-random number generator,
which is used for less critical functions requiring
randomness such as generation of DNS message transaction
ID's.
</p>
<p>
If <span class="command"><strong>random-device</strong></span> is not specified, or
if it is set to <code class="literal">none</code>, entropy will be
read from the random number generation function supplied
by the cryptographic library with which BIND was linked
(i.e. OpenSSL or a PKCS#11 provider).
</p>
<p>
The <span class="command"><strong>random-device</strong></span> option takes
effect during the initial configuration load at server
startup time and is ignored on subsequent reloads.
</p>
<p>
If BIND is built with
<span class="command"><strong>configure --disable-crypto-rand</strong></span>, then
entropy is <span class="emphasis"><em>not</em></span> sourced from the
cryptographic library. In this case, if
<span class="command"><strong>random-device</strong></span> is not specified, the
default value is the system random device,
<code class="filename">/dev/random</code> or the equivalent.
This default can be overridden with
<span class="command"><strong>configure --with-randomdev</strong></span>.
If no system random device exists, then no entropy source
will be configured, and <span class="command"><strong>named</strong></span> will only
be able to use pseudo-random numbers.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>preferred-glue</strong></span></span></dt>
......@@ -4964,24 +4987,12 @@ options {
<p>
Note:
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
DNSSEC validation must be enabled for this
option to be effective.
</p>
</li>
<li class="listitem">
<p>
This initial implementation only covers
NXDOMAIN synthesis from NSEC records.
Synthesis of NODATA and wildcard responses
is also planned, as is synthesis from NSEC3
records. All of these will be controlled
by <span class="command"><strong>synth-from-dnssec</strong></span>.
</p>
</li>
</ul></div>
</li></ul></div>
<p>
</p>
</dd>
......
......@@ -229,9 +229,6 @@
default.
</p>
<p>
Note: This initial implementation can only synthesize NXDOMAIN
responses, from NSEC records. Support for NODATA responses,
wilcard responses, and NSEC3 records will be added soon.
Thanks to APNIC for sponsoring this work.
</p>
</li>
......@@ -413,20 +410,28 @@
</li>
<li class="listitem">
<p>
When <span class="command"><strong>named</strong></span> is linked with OpenSSL, the
OpenSSL RAND routine can be used as the source of entropy/
randomness by specifying
<span class="command"><strong>random-device openssl;</strong></span> in
<code class="filename">named.conf</code>. It can also be used in tools
such as <span class="command"><strong>dnssec-keygen</strong></span>,
<span class="command"><strong>tsig-keygen</strong></span>,
and <span class="command"><strong>nsupdate</strong></span> by specifying
<span class="command"><strong>-r openssl</strong></span> on the command line.
This is suitable for a virtual machine environment without
a hardware random number generator.
This behavior can be overridden by using
<span class="command"><strong>configure --disable-crypto-rand</strong></span> or
building with native PKCS#11. [RT #31459]
By default, BIND now uses the random number generation functions
in the cryptographic library (i.e., OpenSSL or a PKCS#11
provider) as a source of high-quality randomness rather than
<code class="filename">/dev/random</code>. This is suitable for virtual
machine environments, which may have limited entropy pools and
lack hardware random number generators.
</p>
<p>
This can be overridden by specifying another entropy source via
the <span class="command"><strong>random-device</strong></span> option in
<code class="filename">named.conf</code>, or via the <span class="command"><strong>-r</strong></span>
command line option. However, for functions requiring full
cryptographic strength, such as DNSSEC key generation, this
<span class="emphasis"><em>cannot</em></span> be overridden. In particular, the
<span class="command"><strong>-r</strong></span> command line option no longer has any
effect on <span class="command"><strong>dnssec-keygen</strong></span>.
</p>
<p>
This can be disabled by building with
<span class="command"><strong>configure --disable-crypto-rand</strong></span>, in which
case <code class="filename">/dev/random</code> will be the default
entropy source. [RT #31459] [RT #46047]
</p>
</li>
</ul></div>
......
......@@ -298,15 +298,23 @@
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
<dd>
<p>
Specifies the source of randomness. If the operating
system does not provide a <code class="filename">/dev/random</code>
or equivalent device, the default source of randomness
is keyboard input. <code class="filename">randomdev</code>
specifies
Specifies a source of randomness. Normally, when generating
DNSSEC keys, this option has no effect; the random number
generation function provided by the cryptographic library will
be used.
</p>
<p>
If that behavior is disabled at compile time, however,
the specified file will be used as entropy source
for key generation. <code class="filename">randomdev</code> is
the name of a character device or file containing random
data to be used instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard
input should be used.
data to be used. The special value <code class="filename">keyboard</code>
indicates that keyboard input should be used.
</p>
<p>
The default is <code class="filename">/dev/random</code> if the
operating system provides it or an equivalent device;
if not, the default source of randomness is keyboard input.
</p>
</dd>
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
......
......@@ -190,9 +190,6 @@
default.
</p>
<p>
Note: This initial implementation can only synthesize NXDOMAIN
responses, from NSEC records. Support for NODATA responses,
wilcard responses, and NSEC3 records will be added soon.
Thanks to APNIC for sponsoring this work.
</p>
</li>
......@@ -374,20 +371,28 @@
</li>
<li class="listitem">
<p>
When <span class="command"><strong>named</strong></span> is linked with OpenSSL, the
OpenSSL RAND routine can be used as the source of entropy/
randomness by specifying
<span class="command"><strong>random-device openssl;</strong></span> in
<code class="filename">named.conf</code>. It can also be used in tools
such as <span class="command"><strong>dnssec-keygen</strong></span>,
<span class="command"><strong>tsig-keygen</strong></span>,
and <span class="command"><strong>nsupdate</strong></span> by specifying
<span class="command"><strong>-r openssl</strong></span> on the command line.
This is suitable for a virtual machine environment without
a hardware random number generator.
This behavior can be overridden by using
<span class="command"><strong>configure --disable-crypto-rand</strong></span> or
building with native PKCS#11. [RT #31459]
By default, BIND now uses the random number generation functions
in the cryptographic library (i.e., OpenSSL or a PKCS#11
provider) as a source of high-quality randomness rather than
<code class="filename">/dev/random</code>. This is suitable for virtual
machine environments, which may have limited entropy pools and
lack hardware random number generators.
</p>
<p>
This can be overridden by specifying another entropy source via
the <span class="command"><strong>random-device</strong></span> option in
<code class="filename">named.conf</code>, or via the <span class="command"><strong>-r</strong></span>
command line option. However, for functions requiring full
cryptographic strength, such as DNSSEC key generation, this
<span class="emphasis"><em>cannot</em></span> be overridden. In particular, the
<span class="command"><strong>-r</strong></span> command line option no longer has any
effect on <span class="command"><strong>dnssec-keygen</strong></span>.
</p>
<p>
This can be disabled by building with
<span class="command"><strong>configure --disable-crypto-rand</strong></span>, in which
case <code class="filename">/dev/random</code> will be the default
entropy source. [RT #31459] [RT #46047]
</p>
</li>
</ul></div>
......
......@@ -168,9 +168,9 @@ options {
fetches-per-server <integer> [ ( drop | fail ) ];
fetches-per-zone <integer> [ ( drop | fail ) ];
files ( default | unlimited | <sizeval> );
filter-aaaa { <address_match_element>; ... };
filter-aaaa-on-v4 ( break-dnssec | <boolean> );
filter-aaaa-on-v6 ( break-dnssec | <boolean> );
filter-aaaa { <address_match_element>; ... }; // not configured
filter-aaaa-on-v4 ( break-dnssec | <boolean> ); // not configured
filter-aaaa-on-v6 ( break-dnssec | <boolean> ); // not configured
flush-zones-on-shutdown <boolean>;
forward ( first | only );
forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
......@@ -182,8 +182,8 @@ options {
fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
fstrm-set-output-queue-size <integer>; // not configured
fstrm-set-reopen-interval <integer>; // not configured
geoip-directory ( <quoted_string> | none );
geoip-use-ecs <boolean>;
geoip-directory ( <quoted_string> | none ); // not configured
geoip-use-ecs <boolean>; // not configured
glue-cache <boolean>;
has-old-clients <boolean>; // obsolete
heartbeat-interval <integer>;
......@@ -202,7 +202,7 @@ options {
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
lmdb-mapsize <sizeval>;
lmdb-mapsize <sizeval>; // non-operational
lock-file ( <quoted_string> | none );
maintain-ixfr-base <boolean>; // obsolete
managed-keys-directory <quoted_string>;
......@@ -270,7 +270,7 @@ options {
querylog <boolean>;
queryport-pool-ports <integer>; // obsolete
queryport-pool-updateinterval <integer>; // obsolete
random-device <quoted_string>;
random-device ( <quoted_string> | none );
rate-limit {
all-per-second <integer>;
errors-per-second <integer>;
......@@ -521,9 +521,9 @@ view <string> [ <class> ] {
fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
fetches-per-server <integer> [ ( drop | fail ) ];
fetches-per-zone <integer> [ ( drop | fail ) ];
filter-aaaa { <address_match_element>; ... };
filter-aaaa-on-v4 ( break-dnssec | <boolean> );
filter-aaaa-on-v6 ( break-dnssec | <boolean> );
filter-aaaa { <address_match_element>; ... }; // not configured
filter-aaaa-on-v4 ( break-dnssec | <boolean> ); // not configured
filter-aaaa-on-v6 ( break-dnssec | <boolean> ); // not configured
forward ( first | only );
forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
| <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
......@@ -536,7 +536,7 @@ view <string> [ <class> ] {
}; // may occur multiple times
key-directory <quoted_string>;
lame-ttl <ttlval>;
lmdb-mapsize <sizeval>;
lmdb-mapsize <sizeval>; // non-operational
maintain-ixfr-base <boolean>; // obsolete
managed-keys { <string> <string>
<integer> <integer> <integer>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment