Commit 48b6d2f5 authored by Evan Hunt's avatar Evan Hunt

2701. [doc] Correction to ARM: hmac-md5 is no longer the only

			supported TSIG key algorithm. [RT #18046]
parent 58b81e71
2701. [doc] Correction to ARM: hmac-md5 is no longer the only
supported TSIG key algorithm. [RT #18046]
2700. [doc] The match-mapped-addresses option is discouraged.
[RT #12252]
......
......@@ -153,8 +153,8 @@ A: BIND 9.3 and later: Use TSIG to select the appropriate view.
Master 10.0.1.1:
key "external" {
algorithm hmac-md5;
secret "xxxxxxxx";
algorithm hmac-sha256;
secret "xxxxxxxxxxxxxxxxxxxxxxxx";
};
view "internal" {
match-clients { !key external; // reject message ment for the
......@@ -174,8 +174,8 @@ A: BIND 9.3 and later: Use TSIG to select the appropriate view.
Slave 10.0.1.2:
key "external" {
algorithm hmac-md5;
secret "xxxxxxxx";
algorithm hmac-sha256;
secret "xxxxxxxxxxxxxxxxxxxxxxxx";
};
view "internal" {
match-clients { !key external; 10.0.1/24; };
......@@ -225,13 +225,13 @@ A: You choose one view to be master and the second a slave and transfer
Master 10.0.1.1:
key "external" {
algorithm hmac-md5;
secret "xxxxxxxx";
algorithm hmac-sha256;
secret "xxxxxxxxxxxxxxxxxxxxxxxx";
};
key "mykey" {
algorithm hmac-md5;
secret "yyyyyyyy";
algorithm hmac-sha256;
secret "yyyyyyyyyyyyyyyyyyyyyyyy";
};
view "internal" {
......
......@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: FAQ.xml,v 1.50 2009/08/19 23:38:11 marka Exp $ -->
<!-- $Id: FAQ.xml,v 1.51 2009/10/05 01:49:59 each Exp $ -->
<article class="faq">
<title>Frequently Asked Questions about BIND 9</title>
......@@ -319,8 +319,8 @@ Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
<programlisting>
Master 10.0.1.1:
key "external" {
algorithm hmac-md5;
secret "xxxxxxxx";
algorithm hmac-sha256;
secret "xxxxxxxxxxxxxxxxxxxxxxxx";
};
view "internal" {
match-clients { !key external; // reject message ment for the
......@@ -340,8 +340,8 @@ Master 10.0.1.1:
Slave 10.0.1.2:
key "external" {
algorithm hmac-md5;
secret "xxxxxxxx";
algorithm hmac-sha256;
secret "xxxxxxxxxxxxxxxxxxxxxxxx";
};
view "internal" {
match-clients { !key external; 10.0.1/24; };
......@@ -429,13 +429,13 @@ named-checkzone example.com tmp</programlisting>
<programlisting>
Master 10.0.1.1:
key "external" {
algorithm hmac-md5;
secret "xxxxxxxx";
algorithm hmac-sha256;
secret "xxxxxxxxxxxxxxxxxxxxxxxx";
};
key "mykey" {
algorithm hmac-md5;
secret "yyyyyyyy";
algorithm hmac-sha256;
secret "yyyyyyyyyyyyyyyyyyyyyyyy";
};
view "internal" {
......
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.429 2009/10/03 23:35:28 each Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.430 2009/10/05 01:49:59 each Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
......@@ -2086,17 +2086,16 @@ nameserver 172.16.72.4
<sect3>
<title>Automatic Generation</title>
<para>
The following command will generate a 128-bit (16 byte) HMAC-MD5
The following command will generate a 128-bit (16 byte) HMAC-SHA256
key as described above. Longer keys are better, but shorter keys
are easier to read. Note that the maximum key length is 512 bits;
keys longer than that will be digested with MD5 to produce a
128-bit key.
are easier to read. Note that the maximum key length is the digest
length, here 256 bits.
</para>
<para>
<userinput>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</userinput>
<userinput>dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2.</userinput>
</para>
<para>
The key is in the file <filename>Khost1-host2.+157+00000.private</filename>.
The key is in the file <filename>Khost1-host2.+163+00000.private</filename>.
Nothing directly uses this file, but the base-64 encoded string
following "<literal>Key:</literal>"
can be extracted from the file and used as a shared secret:
......@@ -2138,18 +2137,16 @@ nameserver 172.16.72.4
<programlisting>
key host1-host2. {
algorithm hmac-md5;
algorithm hmac-sha256;
secret "La/E5CjG9O+os1jq0a2jdA==";
};
</programlisting>
<para>
The algorithm, <literal>hmac-md5</literal>, is the only one supported by <acronym>BIND</acronym>.
The secret is the one generated above. Since this is a secret, it
is recommended that either <filename>named.conf</filename> be non-world
readable, or the key directive be added to a non-world readable
file that is included by
<filename>named.conf</filename>.
is recommended that either <filename>named.conf</filename> be
non-world readable, or the key directive be added to a non-world
readable file that is included by <filename>named.conf</filename>.
</para>
<para>
At this point, the key is recognized. This means that if the
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment