Documentation update with newer algorithms tham RSAMD5 and RSASHA1

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 3c90ae39585e0ea78ce44169fa3e1a97473b9a38..a452d3011ecc4f3492e6f044b9b58cbb41841e87 100644 (file)
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -2101,41 +2101,36 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
        </para>
 
        <para>
-         A secure zone must contain one or more zone keys.  The
-         zone keys will sign all other records in the zone, as well as
-         the zone keys of any secure delegated zones.  Zone keys must
-         have the same name as the zone, a name type of
-         <command>ZONE</command>, and must be usable for
-         authentication.
-         It is recommended that zone keys use a cryptographic algorithm
-         designated as "mandatory to implement" by the IETF; currently
-         the only one is RSASHA1.
+         A secure zone must contain one or more zone keys.  The zone keys will
+         sign all other records in the zone, as well as the zone keys of any
+         secure delegated zones.  Zone keys must have the same name as the
+         zone, a name type of <command>ZONE</command>, and must be usable for
+         authentication.  It is recommended that zone keys use a cryptographic
+         algorithm designated as "mandatory to implement" by the IETF;
+         currently the are two algorithms: RSASHA256 and ECDSAP256SHA256.
+         ECDSAP256SHA256 is recommended for current and future deployments.
        </para>
 
        <para>
-         The following command will generate a 768-bit RSASHA1 key for
+         The following command will generate a ECDSAP256SHA256 key for
          the <filename>child.example</filename> zone:
        </para>
 
        <para>
-         <userinput>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</userinput>
+         <userinput>dnssec-keygen -a ECDSAP256SHA256 -n ZONE child.example.</userinput>
        </para>
 
        <para>
          Two output files will be produced:
-         <filename>Kchild.example.+005+12345.key</filename> and
-         <filename>Kchild.example.+005+12345.private</filename>
-         (where
-         12345 is an example of a key tag).  The key filenames contain
-         the key name (<filename>child.example.</filename>),
-         algorithm (3
-         is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
-         this case).
-         The private key (in the <filename>.private</filename>
-         file) is
-         used to generate signatures, and the public key (in the
-         <filename>.key</filename> file) is used for signature
-         verification.
+         <filename>Kchild.example.+013+12345.key</filename> and
+         <filename>Kchild.example.+013+12345.private</filename> (where 12345 is
+         an example of a key tag).  The key filenames contain the key name
+         (<filename>child.example.</filename>), algorithm (5 is RSASHA1, 8 is
+         RSASHA256, 13 is ECDSAP256SHA256, 15 is ED25519 etc.), and the key tag
+         (12345 in this case).  The private key (in the
+         <filename>.private</filename> file) is used to generate signatures,
+         and the public key (in the <filename>.key</filename> file) is used for
+         signature verification.
        </para>
 
        <para>