From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue, 14 Jun 2016 18:57:11 +0000 (+0200)
Subject: As noted by @stirnim, OpenSSL does not respect rfc6979
X-Git-Tag: auth-4.0.0-rc1~42^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=51faa9ffdac6c6cce6f460bc8ccc8339e5a4672c;p=thirdparty%2Fpdns.git

As noted by @stirnim, OpenSSL does not respect rfc6979
---

diff --git a/docs/markdown/authoritative/dnssec.md b/docs/markdown/authoritative/dnssec.md
index d8b74b9ccd..d6911aef83 100644
--- a/docs/markdown/authoritative/dnssec.md
+++ b/docs/markdown/authoritative/dnssec.md
@@ -111,8 +111,8 @@ In order to facilitate interoperability with existing technologies, PowerDNS key
 can be imported and exported in industry standard formats.
 
 When using OpenSSL for ECDSA signatures (this is default), starting from OpenSSL
-1.1.0, [RFC 6979](http://tools.ietf.org/html/rfc6979) deterministic signatures are
-used.
+1.1.0, the algorithm used is resilient against PRNG failure, while not
+strictly conforming to [RFC 6979](http://tools.ietf.org/html/rfc6979).
 
 **Note**: Actual supported algorithms depend on the crypto-libraries PowerDNS was
 compiled against. To check the supported DNSSEC algoritms in your build of PowerDNS,