]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
[master] clarify CHANGES, add relnote
authorEvan Hunt <each@isc.org>
Sat, 16 Sep 2017 19:06:54 +0000 (12:06 -0700)
committerEvan Hunt <each@isc.org>
Sat, 16 Sep 2017 19:06:54 +0000 (12:06 -0700)
CHANGES
doc/arm/notes.xml

diff --git a/CHANGES b/CHANGES
index b42cedc4416c8f006e4b502830fac28ae033862f..09b2629ec7c59ba714f4011992753f48323017ad 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,13 +1,12 @@
-4724.  [func]          Added the --enable-crypto-rand configure flag
-                       (yes by default): when the random file (-r command
-                       line argument) is set to "openssl" the entropy/random
-                       source is the OpenSSL RAND routine. This is suitable
-                       for virtual machine environment without a hardware
-                       random generator but makes random generation not
-                       reproducible. Note with native PKCS#11 the
-                       entropy/random source will unconditionally be
-                       C_GenerateRandom() i.e. the PKCS#11 random API.
-                       [RT #31459]
+4724.  [func]          When the random device (i.e. the "random-device"
+                       option in named.conf, or the -r command line option
+                       in various tools) is set to "openssl", the OpenSSL
+                       RAND routine is used as the source of entropy/
+                       randomness. This is suitable for a virtual
+                       machine environment without a hardware random
+                       number generator. This behavior can be overridden
+                       by using "configure --disable-crypto-rand" or
+                       native PKCS#11. [RT #31459]
 
 4723.  [bug]           Statistics counter DNSTAPdropped was misidentified
                        as DNSSECdropped. [RT #46002]
index c21ea3f13ac63115a82a811df1018635273d7bb8..ea7049204f37437e5151a452cfc2188f7f98c4e8 100644 (file)
          "[ECS <replaceable>address/source/scope</replaceable>]".
        </para>
       </listitem>
+      <listitem>
+       <para>
+         When <command>named</command> is linked with OpenSSL, the
+         OpenSSL RAND routine can be used as the source of entropy/
+         randomness by specifying
+         <command>random-device openssl;</command> in
+         <filename>named.conf</filename>. It can also be used in tools
+         such as <command>dnssec-keygen</command>,
+         <command>tsig-keygen</command>,
+         and <command>nsupdate</command> by specifying
+         <command>-r openssl</command> on the command line.
+         This is suitable for a virtual machine environment without
+         a hardware random number generator.
+         This behavior can be overridden by using
+         <command>configure --disable-crypto-rand</command> or
+         building with native PKCS#11. [RT #31459]
+       </para>
+      </listitem>
     </itemizedlist>
   </section>