1. 07 Dec, 2017 1 commit
  2. 01 Nov, 2017 1 commit
  3. 31 Oct, 2017 2 commits
  4. 25 Oct, 2017 1 commit
  5. 24 Oct, 2017 1 commit
    • Evan Hunt's avatar
      [master] deprecate HMAC in dnssec-keygen, MD5 in rndc-confgen · 21761bfe
      Evan Hunt authored
      4785.	[func]		The hmac-md5 algorithm is no longer recommended for
      			use with RNDC keys. For compatibility reasons, it
      			it is still the default algorithm in rndc-confgen,
      			but this will be changed to hmac-sha256 in a future
      			release. [RT #42272]
      
      4784.	[func]		The use of dnssec-keygen to generate HMAC keys is
      			deprecated in favor of tsig-keygen.  dnssec-keygen
      			will print a warning when used for this purpose.
      			All HMAC algorithms will be removed from
      			dnssec-keygen in a future release. [RT #42272]
      21761bfe
  6. 18 Oct, 2017 1 commit
  7. 17 Oct, 2017 2 commits
  8. 10 Oct, 2017 1 commit
  9. 09 Oct, 2017 2 commits
  10. 06 Oct, 2017 1 commit
  11. 05 Oct, 2017 2 commits
  12. 03 Oct, 2017 4 commits
  13. 29 Sep, 2017 1 commit
  14. 28 Sep, 2017 1 commit
    • Evan Hunt's avatar
      [master] completed and corrected the crypto-random change · 24172bd2
      Evan Hunt authored
      4724.	[func]		By default, BIND now uses the random number
      			functions provided by the crypto library (i.e.,
      			OpenSSL or a PKCS#11 provider) as a source of
      			randomness rather than /dev/random.  This is
      			suitable for virtual machine environments
      			which have limited entropy pools and lack
      			hardware random number generators.
      
      			This can be overridden by specifying another
      			entropy source via the "random-device" option
      			in named.conf, or via the -r command line option;
      			however, for functions requiring full cryptographic
      			strength, such as DNSSEC key generation, this
      			cannot be overridden. In particular, the -r
      			command line option no longer has any effect on
      			dnssec-keygen.
      
      			This can be disabled by building with
      			"configure --disable-crypto-rand".
      			[RT #31459] [RT #46047]
      24172bd2
  15. 18 Sep, 2017 1 commit
  16. 14 Sep, 2017 1 commit
  17. 13 Sep, 2017 5 commits
  18. 12 Sep, 2017 1 commit
  19. 09 Sep, 2017 1 commit
  20. 08 Sep, 2017 3 commits
  21. 01 Sep, 2017 1 commit
  22. 31 Aug, 2017 1 commit
    • Evan Hunt's avatar
      [master] remove default algorithm in dnssec-keygen · 45afdb26
      Evan Hunt authored
      4594.	[func]		dnssec-keygen no longer uses RSASHA1 by default;
      			the signing algorithm must be specified on
      			the command line with the "-a" option.  Signing
      			scripts that rely on the existing default behavior
      			will break; use "dnssec-keygen -a RSASHA1" to
      			repair them. (The goal of this change is to make
      			it easier to find scripts using RSASHA1 so they
      			can be changed in the event of that algorithm
      			being deprecated in the future.) [RT #44755]
      45afdb26
  23. 22 Aug, 2017 1 commit
  24. 21 Aug, 2017 3 commits
  25. 14 Aug, 2017 1 commit