Commit 1d57d460 authored by Evan Hunt's avatar Evan Hunt
Browse files

[master] change rndc-confgen default algorithm

this completes change 4785. the CHANGES note has been revised:

4785.	[func]		The hmac-md5 algorithm is no longer recommended for
			use with RNDC keys.  The default in rndc-confgen
			is now hmac-sha256. [RT #42272]
parent 959d2940
......@@ -39,10 +39,8 @@
[RT #46340]
 
4785. [func] The hmac-md5 algorithm is no longer recommended for
use with RNDC keys. For compatibility reasons, it
it is still the default algorithm in rndc-confgen,
but this will be changed to hmac-sha256 in a future
release. [RT #42272]
use with RNDC keys. The default in rndc-confgen
is now hmac-sha256. [RT #42272]
 
4784. [func] The use of dnssec-keygen to generate HMAC keys is
deprecated in favor of tsig-keygen. dnssec-keygen
......
......@@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: rndc-confgen.c,v 1.7 2011/03/12 04:59:46 tbox Exp $ */
/*! \file */
/**
......@@ -67,23 +65,6 @@ usage(int status) ISC_PLATFORM_NORETURN_POST;
static void
usage(int status) {
#ifndef PK11_MD5_DISABLE
fprintf(stderr, "\
Usage:\n\
%s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
[-s addr] [-t chrootdir] [-u user]\n\
-a: generate just the key clause and write it to keyfile (%s)\n\
-A alg: algorithm (default hmac-md5 (deprecated and will change))\n\
-b bits: from 1 through 512, default 256; total length of the secret\n\
-c keyfile: specify an alternate key file (requires -a)\n\
-k keyname: the name as it will be used in named.conf and rndc.conf\n\
-p port: the port named will listen on and rndc will connect to\n\
-r randomfile: source of random data (use \"keyboard\" for key timing)\n\
-s addr: the address to which rndc should connect\n\
-t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
-u user: set the keyfile owner to \"user\" (requires -a)\n",
progname, keydef);
#else
fprintf(stderr, "\
Usage:\n\
%s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
......@@ -99,7 +80,6 @@ Usage:\n\
-t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
-u user: set the keyfile owner to \"user\" (requires -a)\n",
progname, keydef);
#endif
exit (status);
}
......@@ -115,7 +95,6 @@ main(int argc, char **argv) {
const char *randomfile = NULL;
const char *serveraddr = NULL;
dns_secalg_t alg;
isc_boolean_t algset = ISC_FALSE;
const char *algname;
char *p;
int ch;
......@@ -136,11 +115,7 @@ main(int argc, char **argv) {
progname = program;
keyname = DEFAULT_KEYNAME;
#ifndef PK11_MD5_DISABLE
alg = DST_ALG_HMACMD5;
#else
alg = DST_ALG_HMACSHA256;
#endif
serveraddr = DEFAULT_SERVER;
port = DEFAULT_PORT;
......@@ -154,7 +129,6 @@ main(int argc, char **argv) {
keyonly = ISC_TRUE;
break;
case 'A':
algset = ISC_TRUE;
algname = isc_commandline_argument;
alg = alg_fromtext(algname);
if (alg == DST_ALG_UNKNOWN)
......@@ -228,17 +202,9 @@ main(int argc, char **argv) {
usage(1);
if (alg == DST_ALG_HMACMD5) {
if (algset) {
fprintf(stderr,
"warning: use of hmac-md5 for RNDC keys "
"is deprecated; hmac-sha256 is now "
"recommended.\n");
} else {
fprintf(stderr,
"warning: the default algorithm hmac-md5 "
"is deprecated and will be\n"
"changed to hmac-sha256 in a future release\n");
}
fprintf(stderr,
"warning: use of hmac-md5 for RNDC keys "
"is deprecated; hmac-sha256 is now recommended.\n");
}
if (keysize < 0)
......
......@@ -129,12 +129,7 @@
<para>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-md5, or
if MD5 was disabled at compile time, hmac-sha256.
</para>
<para>
Note: Use of hmac-md5 is no longer recommended, and the default
value will be changed to hmac-sha256 in a future release.
hmac-sha384 and hmac-sha512. The default is hmac-sha256.
</para>
</listitem>
</varlistentry>
......
......@@ -500,11 +500,9 @@
<listitem>
<para>
The use of HMAC-MD5 for RNDC keys is no longer recommended.
For compatibility, this is still the default algorithm generated
by <command>rndc-confgen</command>, but it will print a
warning message. The default algorithm in
<command>rndc-confgen</command> will be changed to HMAC-SHA256
in a future release. [RT #42272]
The default algorithm generated by <command>rndc-confgen</command>,
is now HMAC-256, and a warning message will be printed if
HMAC-MD5 is used. [RT #42272]
</para>
</listitem>
<listitem>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment