2701. [doc] Correction to ARM: hmac-md5 is no longer the only

supported TSIG key algorithm. [RT #18046]

2701. [doc] Correction to ARM: hmac-md5 is no longer the only
supported TSIG key algorithm. [RT #18046]
48b6d2f5 · Evan Hunt · 58b81e71 · 48b6d2f5 · 48b6d2f5 · 48b6d2f5
Commit 48b6d2f5 authored Oct 05, 2009 by Evan Hunt
Hide whitespace changes
Inline Side-by-side

Showing with 30 additions and 30 deletions

CHANGES CHANGES +3 -0

FAQ FAQ +8 -8

FAQ.xml FAQ.xml +9 -9

doc/arm/Bv9ARM-book.xml doc/arm/Bv9ARM-book.xml +10 -13

No files found.
--- a/CHANGES
+++ b/CHANGES
+2701.	[doc]		Correction to ARM: hmac-md5 is no longer the only
+			supported TSIG key algorithm. [RT #18046]
+
 2700.	[doc]		The match-mapped-addresses option is discouraged.
 			[RT #12252]


--- a/FAQ
+++ b/FAQ
@@ -153,8 +153,8 @@ A: BIND 9.3 and later: Use TSIG to select the appropriate view.

   Master 10.0.1.1:
           key "external" {
-                   algorithm hmac-md5;
-                   secret "xxxxxxxx";
+                   algorithm hmac-sha256;
+                   secret "xxxxxxxxxxxxxxxxxxxxxxxx";
           };
           view "internal" {
                   match-clients { !key external; // reject message ment for the
@@ -174,8 +174,8 @@ A: BIND 9.3 and later: Use TSIG to select the appropriate view.

   Slave 10.0.1.2:
           key "external" {
-                   algorithm hmac-md5;
-                   secret "xxxxxxxx";
+                   algorithm hmac-sha256;
+                   secret "xxxxxxxxxxxxxxxxxxxxxxxx";
           };
           view "internal" {
                   match-clients { !key external; 10.0.1/24; };
@@ -225,13 +225,13 @@ A: You choose one view to be master and the second a slave and transfer

   Master 10.0.1.1:
           key "external" {
-                   algorithm hmac-md5;
-                   secret "xxxxxxxx";
+                   algorithm hmac-sha256;
+                   secret "xxxxxxxxxxxxxxxxxxxxxxxx";
           };

           key "mykey" {
-                   algorithm hmac-md5;
-                   secret "yyyyyyyy";
+                   algorithm hmac-sha256;
+                   secret "yyyyyyyyyyyyyyyyyyyyyyyy";
           };

           view "internal" {

--- a/FAQ.xml
+++ b/FAQ.xml
@@ -17,7 +17,7 @@
 - PERFORMANCE OF THIS SOFTWARE.
 -->

-<!-- $Id: FAQ.xml,v 1.50 2009/08/19 23:38:11 marka Exp $ -->
+<!-- $Id: FAQ.xml,v 1.51 2009/10/05 01:49:59 each Exp $ -->

 <article class="faq">
  <title>Frequently Asked Questions about BIND 9</title>
@@ -319,8 +319,8 @@ Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
 	  <programlisting>
 Master 10.0.1.1:
 	key "external" {
-		algorithm hmac-md5;
-		secret "xxxxxxxx";
+		algorithm hmac-sha256;
+		secret "xxxxxxxxxxxxxxxxxxxxxxxx";
 	};
 	view "internal" {
 		match-clients { !key external; // reject message ment for the
@@ -340,8 +340,8 @@ Master 10.0.1.1:

 Slave 10.0.1.2:
 	key "external" {
-		algorithm hmac-md5;
-		secret "xxxxxxxx";
+		algorithm hmac-sha256;
+		secret "xxxxxxxxxxxxxxxxxxxxxxxx";
 	};
 	view "internal" {
 		match-clients { !key external; 10.0.1/24; };
@@ -429,13 +429,13 @@ named-checkzone example.com tmp</programlisting>
 	  <programlisting>
 Master 10.0.1.1:
 	key "external" {
-		algorithm hmac-md5;
-		secret "xxxxxxxx";
+		algorithm hmac-sha256;
+		secret "xxxxxxxxxxxxxxxxxxxxxxxx";
 	};

 	key "mykey" {
-		algorithm hmac-md5;
-		secret "yyyyyyyy";
+		algorithm hmac-sha256;
+		secret "yyyyyyyyyyyyyyyyyyyyyyyy";
 	};

 	view "internal" {

--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
 - PERFORMANCE OF THIS SOFTWARE.
 -->

-<!-- File: $Id: Bv9ARM-book.xml,v 1.429 2009/10/03 23:35:28 each Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.430 2009/10/05 01:49:59 each Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
  <title>BIND 9 Administrator Reference Manual</title>

@@ -2086,17 +2086,16 @@ nameserver 172.16.72.4
        <sect3>
          <title>Automatic Generation</title>
          <para>
-            The following command will generate a 128-bit (16 byte) HMAC-MD5
+            The following command will generate a 128-bit (16 byte) HMAC-SHA256
            key as described above. Longer keys are better, but shorter keys
-            are easier to read. Note that the maximum key length is 512 bits;
-            keys longer than that will be digested with MD5 to produce a
-            128-bit key.
+            are easier to read. Note that the maximum key length is the digest
+            length, here 256 bits.
          </para>
          <para>
-            <userinput>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</userinput>
+            <userinput>dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2.</userinput>
          </para>
          <para>
-            The key is in the file <filename>Khost1-host2.+157+00000.private</filename>.
+            The key is in the file <filename>Khost1-host2.+163+00000.private</filename>.
            Nothing directly uses this file, but the base-64 encoded string
            following "<literal>Key:</literal>"
            can be extracted from the file and used as a shared secret:
@@ -2138,18 +2137,16 @@ nameserver 172.16.72.4

 <programlisting>
 key host1-host2. {
-  algorithm hmac-md5;
+  algorithm hmac-sha256;
  secret "La/E5CjG9O+os1jq0a2jdA==";
 };
 </programlisting>

        <para>
-          The algorithm, <literal>hmac-md5</literal>, is the only one supported by <acronym>BIND</acronym>.
          The secret is the one generated above. Since this is a secret, it
-          is recommended that either <filename>named.conf</filename> be non-world
-          readable, or the key directive be added to a non-world readable
-          file that is included by
-          <filename>named.conf</filename>.
+          is recommended that either <filename>named.conf</filename> be
+          non-world readable, or the key directive be added to a non-world
+          readable file that is included by <filename>named.conf</filename>.
        </para>
        <para>
          At this point, the key is recognized. This means that if the