+4785. [func] The hmac-md5 algorithm is no longer recommended for
+ use with RNDC keys. For compatibility reasons, it
+ it is still the default algorithm in rndc-confgen,
+ but this will be changed to hmac-sha256 in a future
+ release. [RT #42272]
+
+4784. [func] The use of dnssec-keygen to generate HMAC keys is
+ deprecated in favor of tsig-keygen. dnssec-keygen
+ will print a warning when used for this purpose.
+ All HMAC algorithms will be removed from
+ dnssec-keygen in a future release. [RT #42272]
+
4783. [test] dnssec: 'check that NOTIFY is sent at the end of
NSEC3 chain generation failed' required more time
on some machines for the IXFR to complete. [RT #46388]
%s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
[-s addr] [-t chrootdir] [-u user]\n\
-a: generate just the key clause and write it to keyfile (%s)\n\
- -A alg: algorithm (default hmac-md5)\n\
+ -A alg: algorithm (default hmac-md5 (deprecated and will change))\n\
-b bits: from 1 through 512, default 256; total length of the secret\n\
-c keyfile: specify an alternate key file (requires -a)\n\
-k keyname: the name as it will be used in named.conf and rndc.conf\n\
const char *randomfile = NULL;
const char *serveraddr = NULL;
dns_secalg_t alg;
+ isc_boolean_t algset = ISC_FALSE;
const char *algname;
char *p;
int ch;
keyonly = ISC_TRUE;
break;
case 'A':
+ algset = ISC_TRUE;
algname = isc_commandline_argument;
alg = alg_fromtext(algname);
if (alg == DST_ALG_UNKNOWN)
if (argc > 0)
usage(1);
+ if (alg == DST_ALG_HMACMD5) {
+ if (algset) {
+ fprintf(stderr,
+ "warning: use of hmac-md5 for RNDC keys "
+ "is deprecated; hmac-sha256 is now "
+ "recommended.\n");
+ } else {
+ fprintf(stderr,
+ "warning: the default algorithm hmac-md5 "
+ "is deprecated and will be\n"
+ "changed to hmac-sha256 in a future release\n")
+ }
+ }
+
if (keysize < 0)
keysize = alg_bits(alg);
algname = alg_totext(alg);
<para>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
- hmac-sha384 and hmac-sha512. The default is hmac-md5 or
- if MD5 was disabled hmac-sha256.
+ hmac-sha384 and hmac-sha512. The default is hmac-md5, or
+ if MD5 was disabled at compile time, hmac-sha256.
+ </para>
+ <para>
+ Note: Use of hmac-md5 is no longer recommended, and the default
+ value will be changed to hmac-sha256 in a future release.
</para>
</listitem>
</varlistentry>
INSIST((alg != DNS_KEYALG_RSAMD5) && (alg != DST_ALG_HMACMD5));
#endif
+
+ if (alg == DST_ALG_HMACMD5 || alg == DST_ALG_HMACSHA1 ||
+ alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
+ alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512)
+ {
+ fprintf(stderr,
+ "Use of dnssec-keygen for HMAC keys is "
+ "deprecated: use tsig-keygen\n");
+ }
+
if (!dst_algorithm_supported(alg))
fatal("unsupported algorithm: %d", alg);
of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
- TSIG/TKEY keys, the value must be one of DH (Diffie Hellman),
- HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384,
- or HMAC-SHA512; specifying any of these algorithms will
- automatically set the <option>-T KEY</option> option as well.
- (Note: <command>tsig-keygen</command> produces TSIG keys in a
- more useful format than <command>dnssec-keygen</command>.)
+ TKEY and SIG(0) keys, the value must be DH (Diffie Hellman);
+ specifying this value will automatically set the
+ <option>-T KEY</option> option as well.
+ </para>
+ <para>
+ TSIG keys can also by generated by setting the value to
+ one of HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256,
+ HMAC-SHA384, or HMAC-SHA512. As with DH, specifying these
+ values will automatically set <option>-T KEY</option>. Note,
+ however, that <command>tsig-keygen</command> produces TSIG keys
+ in a more useful format. These algorithms have been deprecated
+ in <command>dnssec-keygen</command>, and will be removed in a
+ future release.
</para>
<para>
These values are case insensitive. In some cases, abbreviations
</para>
<para>
As of BIND 9.12.0, this option is mandatory except when using
- the <option>-S</option> option (which copies the algorithm from
- the predecessor key). Previously, the default for newly
+ the <option>-S</option> option, which copies the algorithm from
+ the predecessor key. Previously, the default for newly
generated keys was RSASHA1.
</para>
</listitem>
they are set.
</para>
</listitem>
+ <listitem>
+ <para>
+ The use of <command>dnssec-keygen</command> to generate
+ HMAC keys for TSIG authentication has been deprecated in favor
+ of <command>tsig-keygen</command>. If the algorithms HMAC-MD5,
+ HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, or
+ HMAC-SHA512 are specified, <command>dnssec-keygen</command>
+ will print a warning message. These algorithms will be
+ removed from <command>dnssec-keygen</command> entirely in
+ a future release. [RT #42272]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The use of HMAC-MD5 for RNDC keys is no longer recommended.
+ For compatibility, this is still the default algorithm generated
+ by <command>rndc-confgen</command>, but it will print a
+ warning message. The default algorithm in
+ <command>rndc-confgen</command> will be changed to HMAC-SHA256
+ in a future release. [RT #42272]
+ </para>
+ </listitem>
</itemizedlist>
</section>
projects / thirdparty / bind9.git / commitdiff
