.PP
\-r \fIrandomdev\fR
.RS 4
-Specifies the source of randomness\&. If the operating system does not provide a
-/dev/random
-or equivalent device, the default source of randomness is keyboard input\&.
+Specifies a source of randomness\&. Normally, when generating DNSSEC keys, this option has no effect; the random number generation function provided by the cryptographic library will be used\&.
+.sp
+If that behavior is disabled at compile time, however, the specified file will be used as entropy source for key generation\&.
randomdev
-specifies the name of a character device or file containing random data to be used instead of the default\&. The special value
+is the name of a character device or file containing random data to be used\&. The special value
keyboard
indicates that keyboard input should be used\&.
+.sp
+The default is
+/dev/random
+if the operating system provides it or an equivalent device; if not, the default source of randomness is keyboard input\&.
.RE
.PP
\-S \fIkey\fR
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
<dd>
<p>
- Specifies the source of randomness. If the operating
- system does not provide a <code class="filename">/dev/random</code>
- or equivalent device, the default source of randomness
- is keyboard input. <code class="filename">randomdev</code>
- specifies
+ Specifies a source of randomness. Normally, when generating
+ DNSSEC keys, this option has no effect; the random number
+ generation function provided by the cryptographic library will
+ be used.
+ </p>
+ <p>
+ If that behavior is disabled at compile time, however,
+ the specified file will be used as entropy source
+ for key generation. <code class="filename">randomdev</code> is
the name of a character device or file containing random
- data to be used instead of the default. The special value
- <code class="filename">keyboard</code> indicates that keyboard
- input should be used.
+ data to be used. The special value <code class="filename">keyboard</code>
+ indicates that keyboard input should be used.
+ </p>
+ <p>
+ The default is <code class="filename">/dev/random</code> if the
+ operating system provides it or an equivalent device;
+ if not, the default source of randomness is keyboard input.
</p>
</dd>
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
<dt><span class="term"><span class="command"><strong>random-device</strong></span></span></dt>
<dd>
<p>
- The source of entropy to be used by the server. Entropy is
- primarily needed
- for DNSSEC operations, such as TKEY transactions and dynamic
- update of signed
- zones. This options specifies the device (or file) from which
- to read
- entropy. If this is a file, operations requiring entropy will
- fail when the
- file has been exhausted. If not specified, the default value
- is
- <code class="filename">/dev/random</code>
- (or equivalent) when present, and none otherwise. The
- <span class="command"><strong>random-device</strong></span> option takes
- effect during
- the initial configuration load at server startup time and
- is ignored on subsequent reloads.
+ Specifies a source of entropy to be used by the server.
+ This is a device or file from which to read entropy.
+ If it is a file, operations requiring entropy
+ will fail when the file has been exhausted.
+ </p>
+ <p>
+ Entropy is needed for cryptographic operations such as
+ TKEY transactions, dynamic update of signed zones, and
+ generation of TSIG session keys. It is also used for
+ seeding and stirring the pseudo-random number generator,
+ which is used for less critical functions requiring
+ randomness such as generation of DNS message transaction
+ ID's.
+ </p>
+ <p>
+ If <span class="command"><strong>random-device</strong></span> is not specified, or
+ if it is set to <code class="literal">none</code>, entropy will be
+ read from the random number generation function supplied
+ by the cryptographic library with which BIND was linked
+ (i.e. OpenSSL or a PKCS#11 provider).
+ </p>
+ <p>
+ The <span class="command"><strong>random-device</strong></span> option takes
+ effect during the initial configuration load at server
+ startup time and is ignored on subsequent reloads.
+ </p>
+ <p>
+ If BIND is built with
+ <span class="command"><strong>configure --disable-crypto-rand</strong></span>, then
+ entropy is <span class="emphasis"><em>not</em></span> sourced from the
+ cryptographic library. In this case, if
+ <span class="command"><strong>random-device</strong></span> is not specified, the
+ default value is the system random device,
+ <code class="filename">/dev/random</code> or the equivalent.
+ This default can be overridden with
+ <span class="command"><strong>configure --with-randomdev</strong></span>.
+ If no system random device exists, then no entropy source
+ will be configured, and <span class="command"><strong>named</strong></span> will only
+ be able to use pseudo-random numbers.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>preferred-glue</strong></span></span></dt>
<p>
Note:
</p>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
DNSSEC validation must be enabled for this
option to be effective.
</p>
- </li>
-<li class="listitem">
- <p>
- This initial implementation only covers
- NXDOMAIN synthesis from NSEC records.
- Synthesis of NODATA and wildcard responses
- is also planned, as is synthesis from NSEC3
- records. All of these will be controlled
- by <span class="command"><strong>synth-from-dnssec</strong></span>.
- </p>
- </li>
-</ul></div>
+ </li></ul></div>
<p>
</p>
</dd>
default.
</p>
<p>
- Note: This initial implementation can only synthesize NXDOMAIN
- responses, from NSEC records. Support for NODATA responses,
- wilcard responses, and NSEC3 records will be added soon.
Thanks to APNIC for sponsoring this work.
</p>
</li>
</li>
<li class="listitem">
<p>
- When <span class="command"><strong>named</strong></span> is linked with OpenSSL, the
- OpenSSL RAND routine can be used as the source of entropy/
- randomness by specifying
- <span class="command"><strong>random-device openssl;</strong></span> in
- <code class="filename">named.conf</code>. It can also be used in tools
- such as <span class="command"><strong>dnssec-keygen</strong></span>,
- <span class="command"><strong>tsig-keygen</strong></span>,
- and <span class="command"><strong>nsupdate</strong></span> by specifying
- <span class="command"><strong>-r openssl</strong></span> on the command line.
- This is suitable for a virtual machine environment without
- a hardware random number generator.
- This behavior can be overridden by using
- <span class="command"><strong>configure --disable-crypto-rand</strong></span> or
- building with native PKCS#11. [RT #31459]
+ By default, BIND now uses the random number generation functions
+ in the cryptographic library (i.e., OpenSSL or a PKCS#11
+ provider) as a source of high-quality randomness rather than
+ <code class="filename">/dev/random</code>. This is suitable for virtual
+ machine environments, which may have limited entropy pools and
+ lack hardware random number generators.
+ </p>
+ <p>
+ This can be overridden by specifying another entropy source via
+ the <span class="command"><strong>random-device</strong></span> option in
+ <code class="filename">named.conf</code>, or via the <span class="command"><strong>-r</strong></span>
+ command line option. However, for functions requiring full
+ cryptographic strength, such as DNSSEC key generation, this
+ <span class="emphasis"><em>cannot</em></span> be overridden. In particular, the
+ <span class="command"><strong>-r</strong></span> command line option no longer has any
+ effect on <span class="command"><strong>dnssec-keygen</strong></span>.
+ </p>
+ <p>
+ This can be disabled by building with
+ <span class="command"><strong>configure --disable-crypto-rand</strong></span>, in which
+ case <code class="filename">/dev/random</code> will be the default
+ entropy source. [RT #31459] [RT #46047]
</p>
</li>
</ul></div>
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
<dd>
<p>
- Specifies the source of randomness. If the operating
- system does not provide a <code class="filename">/dev/random</code>
- or equivalent device, the default source of randomness
- is keyboard input. <code class="filename">randomdev</code>
- specifies
+ Specifies a source of randomness. Normally, when generating
+ DNSSEC keys, this option has no effect; the random number
+ generation function provided by the cryptographic library will
+ be used.
+ </p>
+ <p>
+ If that behavior is disabled at compile time, however,
+ the specified file will be used as entropy source
+ for key generation. <code class="filename">randomdev</code> is
the name of a character device or file containing random
- data to be used instead of the default. The special value
- <code class="filename">keyboard</code> indicates that keyboard
- input should be used.
+ data to be used. The special value <code class="filename">keyboard</code>
+ indicates that keyboard input should be used.
+ </p>
+ <p>
+ The default is <code class="filename">/dev/random</code> if the
+ operating system provides it or an equivalent device;
+ if not, the default source of randomness is keyboard input.
</p>
</dd>
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
default.
</p>
<p>
- Note: This initial implementation can only synthesize NXDOMAIN
- responses, from NSEC records. Support for NODATA responses,
- wilcard responses, and NSEC3 records will be added soon.
Thanks to APNIC for sponsoring this work.
</p>
</li>
</li>
<li class="listitem">
<p>
- When <span class="command"><strong>named</strong></span> is linked with OpenSSL, the
- OpenSSL RAND routine can be used as the source of entropy/
- randomness by specifying
- <span class="command"><strong>random-device openssl;</strong></span> in
- <code class="filename">named.conf</code>. It can also be used in tools
- such as <span class="command"><strong>dnssec-keygen</strong></span>,
- <span class="command"><strong>tsig-keygen</strong></span>,
- and <span class="command"><strong>nsupdate</strong></span> by specifying
- <span class="command"><strong>-r openssl</strong></span> on the command line.
- This is suitable for a virtual machine environment without
- a hardware random number generator.
- This behavior can be overridden by using
- <span class="command"><strong>configure --disable-crypto-rand</strong></span> or
- building with native PKCS#11. [RT #31459]
+ By default, BIND now uses the random number generation functions
+ in the cryptographic library (i.e., OpenSSL or a PKCS#11
+ provider) as a source of high-quality randomness rather than
+ <code class="filename">/dev/random</code>. This is suitable for virtual
+ machine environments, which may have limited entropy pools and
+ lack hardware random number generators.
+ </p>
+ <p>
+ This can be overridden by specifying another entropy source via
+ the <span class="command"><strong>random-device</strong></span> option in
+ <code class="filename">named.conf</code>, or via the <span class="command"><strong>-r</strong></span>
+ command line option. However, for functions requiring full
+ cryptographic strength, such as DNSSEC key generation, this
+ <span class="emphasis"><em>cannot</em></span> be overridden. In particular, the
+ <span class="command"><strong>-r</strong></span> command line option no longer has any
+ effect on <span class="command"><strong>dnssec-keygen</strong></span>.
+ </p>
+ <p>
+ This can be disabled by building with
+ <span class="command"><strong>configure --disable-crypto-rand</strong></span>, in which
+ case <code class="filename">/dev/random</code> will be the default
+ entropy source. [RT #31459] [RT #46047]
</p>
</li>
</ul></div>
fetches-per-server <integer> [ ( drop | fail ) ];
fetches-per-zone <integer> [ ( drop | fail ) ];
files ( default | unlimited | <sizeval> );
- filter-aaaa { <address_match_element>; ... };
- filter-aaaa-on-v4 ( break-dnssec | <boolean> );
- filter-aaaa-on-v6 ( break-dnssec | <boolean> );
+ filter-aaaa { <address_match_element>; ... }; // not configured
+ filter-aaaa-on-v4 ( break-dnssec | <boolean> ); // not configured
+ filter-aaaa-on-v6 ( break-dnssec | <boolean> ); // not configured
flush-zones-on-shutdown <boolean>;
forward ( first | only );
forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
fstrm-set-output-queue-size <integer>; // not configured
fstrm-set-reopen-interval <integer>; // not configured
- geoip-directory ( <quoted_string> | none );
- geoip-use-ecs <boolean>;
+ geoip-directory ( <quoted_string> | none ); // not configured
+ geoip-use-ecs <boolean>; // not configured
glue-cache <boolean>;
has-old-clients <boolean>; // obsolete
heartbeat-interval <integer>;
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
- lmdb-mapsize <sizeval>;
+ lmdb-mapsize <sizeval>; // non-operational
lock-file ( <quoted_string> | none );
maintain-ixfr-base <boolean>; // obsolete
managed-keys-directory <quoted_string>;
querylog <boolean>;
queryport-pool-ports <integer>; // obsolete
queryport-pool-updateinterval <integer>; // obsolete
- random-device <quoted_string>;
+ random-device ( <quoted_string> | none );
rate-limit {
all-per-second <integer>;
errors-per-second <integer>;
fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
fetches-per-server <integer> [ ( drop | fail ) ];
fetches-per-zone <integer> [ ( drop | fail ) ];
- filter-aaaa { <address_match_element>; ... };
- filter-aaaa-on-v4 ( break-dnssec | <boolean> );
- filter-aaaa-on-v6 ( break-dnssec | <boolean> );
+ filter-aaaa { <address_match_element>; ... }; // not configured
+ filter-aaaa-on-v4 ( break-dnssec | <boolean> ); // not configured
+ filter-aaaa-on-v6 ( break-dnssec | <boolean> ); // not configured
forward ( first | only );
forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
| <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
}; // may occur multiple times
key-directory <quoted_string>;
lame-ttl <ttlval>;
- lmdb-mapsize <sizeval>;
+ lmdb-mapsize <sizeval>; // non-operational
maintain-ixfr-base <boolean>; // obsolete
managed-keys { <string> <string>
<integer> <integer> <integer>
projects / thirdparty / bind9.git / commitdiff
