-4724. [func] Added the --enable-crypto-rand configure flag
- (yes by default): when the random file (-r command
- line argument) is set to "openssl" the entropy/random
- source is the OpenSSL RAND routine. This is suitable
- for virtual machine environment without a hardware
- random generator but makes random generation not
- reproducible. Note with native PKCS#11 the
- entropy/random source will unconditionally be
- C_GenerateRandom() i.e. the PKCS#11 random API.
- [RT #31459]
+4724. [func] When the random device (i.e. the "random-device"
+ option in named.conf, or the -r command line option
+ in various tools) is set to "openssl", the OpenSSL
+ RAND routine is used as the source of entropy/
+ randomness. This is suitable for a virtual
+ machine environment without a hardware random
+ number generator. This behavior can be overridden
+ by using "configure --disable-crypto-rand" or
+ native PKCS#11. [RT #31459]
4723. [bug] Statistics counter DNSTAPdropped was misidentified
as DNSSECdropped. [RT #46002]
"[ECS <replaceable>address/source/scope</replaceable>]".
</para>
</listitem>
+ <listitem>
+ <para>
+ When <command>named</command> is linked with OpenSSL, the
+ OpenSSL RAND routine can be used as the source of entropy/
+ randomness by specifying
+ <command>random-device openssl;</command> in
+ <filename>named.conf</filename>. It can also be used in tools
+ such as <command>dnssec-keygen</command>,
+ <command>tsig-keygen</command>,
+ and <command>nsupdate</command> by specifying
+ <command>-r openssl</command> on the command line.
+ This is suitable for a virtual machine environment without
+ a hardware random number generator.
+ This behavior can be overridden by using
+ <command>configure --disable-crypto-rand</command> or
+ building with native PKCS#11. [RT #31459]
+ </para>
+ </listitem>
</itemizedlist>
</section>