[RT #46340]
4785. [func] The hmac-md5 algorithm is no longer recommended for
- use with RNDC keys. For compatibility reasons, it
- it is still the default algorithm in rndc-confgen,
- but this will be changed to hmac-sha256 in a future
- release. [RT #42272]
+ use with RNDC keys. The default in rndc-confgen
+ is now hmac-sha256. [RT #42272]
4784. [func] The use of dnssec-keygen to generate HMAC keys is
deprecated in favor of tsig-keygen. dnssec-keygen
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
-/* $Id: rndc-confgen.c,v 1.7 2011/03/12 04:59:46 tbox Exp $ */
-
/*! \file */
/**
static void
usage(int status) {
-#ifndef PK11_MD5_DISABLE
- fprintf(stderr, "\
-Usage:\n\
- %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
-[-s addr] [-t chrootdir] [-u user]\n\
- -a: generate just the key clause and write it to keyfile (%s)\n\
- -A alg: algorithm (default hmac-md5 (deprecated and will change))\n\
- -b bits: from 1 through 512, default 256; total length of the secret\n\
- -c keyfile: specify an alternate key file (requires -a)\n\
- -k keyname: the name as it will be used in named.conf and rndc.conf\n\
- -p port: the port named will listen on and rndc will connect to\n\
- -r randomfile: source of random data (use \"keyboard\" for key timing)\n\
- -s addr: the address to which rndc should connect\n\
- -t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
- -u user: set the keyfile owner to \"user\" (requires -a)\n",
- progname, keydef);
-#else
fprintf(stderr, "\
Usage:\n\
%s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
-t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
-u user: set the keyfile owner to \"user\" (requires -a)\n",
progname, keydef);
-#endif
exit (status);
}
const char *randomfile = NULL;
const char *serveraddr = NULL;
dns_secalg_t alg;
- isc_boolean_t algset = ISC_FALSE;
const char *algname;
char *p;
int ch;
progname = program;
keyname = DEFAULT_KEYNAME;
-#ifndef PK11_MD5_DISABLE
- alg = DST_ALG_HMACMD5;
-#else
alg = DST_ALG_HMACSHA256;
-#endif
serveraddr = DEFAULT_SERVER;
port = DEFAULT_PORT;
keyonly = ISC_TRUE;
break;
case 'A':
- algset = ISC_TRUE;
algname = isc_commandline_argument;
alg = alg_fromtext(algname);
if (alg == DST_ALG_UNKNOWN)
usage(1);
if (alg == DST_ALG_HMACMD5) {
- if (algset) {
- fprintf(stderr,
- "warning: use of hmac-md5 for RNDC keys "
- "is deprecated; hmac-sha256 is now "
- "recommended.\n");
- } else {
- fprintf(stderr,
- "warning: the default algorithm hmac-md5 "
- "is deprecated and will be\n"
- "changed to hmac-sha256 in a future release\n");
- }
+ fprintf(stderr,
+ "warning: use of hmac-md5 for RNDC keys "
+ "is deprecated; hmac-sha256 is now recommended.\n");
}
if (keysize < 0)
<para>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
- hmac-sha384 and hmac-sha512. The default is hmac-md5, or
- if MD5 was disabled at compile time, hmac-sha256.
- </para>
- <para>
- Note: Use of hmac-md5 is no longer recommended, and the default
- value will be changed to hmac-sha256 in a future release.
+ hmac-sha384 and hmac-sha512. The default is hmac-sha256.
</para>
</listitem>
</varlistentry>
<listitem>
<para>
The use of HMAC-MD5 for RNDC keys is no longer recommended.
- For compatibility, this is still the default algorithm generated
- by <command>rndc-confgen</command>, but it will print a
- warning message. The default algorithm in
- <command>rndc-confgen</command> will be changed to HMAC-SHA256
- in a future release. [RT #42272]
+ The default algorithm generated by <command>rndc-confgen</command>,
+ is now HMAC-256, and a warning message will be printed if
+ HMAC-MD5 is used. [RT #42272]
</para>
</listitem>
<listitem>
projects / thirdparty / bind9.git / commitdiff
