2701. [doc] Correction to ARM: hmac-md5 is no longer the only

                        supported TSIG key algorithm. [RT #18046]

diff --git a/CHANGES b/CHANGES
index 029580f70061dab32fd798a5ef22573ffd998b49..a2f38069aaf2e5d3194acd85e20c9353156830c0 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -78,6 +78,9 @@
 2704.  [bug]           Serial of dynamic and stub zones could be inconsistent
                        with their SOA serial.  [RT #19387]
 
+2701.  [doc]           Correction to ARM: hmac-md5 is no longer the only
+                       supported TSIG key algorithm. [RT #18046]
+
 2700.  [doc]           The match-mapped-addresses option is discouraged.
                        [RT #12252]
 

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 156ea83840450a5d6badd84fbbab8c82c89012fc..a2d3bb957c1e7ac899333f4e3063a306a31ad637 100644 (file)
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -35,7 +35,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.340.24.47 2009/12/03 03:39:45 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.340.24.48 2009/12/03 04:21:42 marka Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
   <title>BIND 9 Administrator Reference Manual</title>
 
@@ -2056,17 +2056,16 @@ nameserver 172.16.72.4
         <sect3>
           <title>Automatic Generation</title>
           <para>
-            The following command will generate a 128-bit (16 byte) HMAC-MD5
+            The following command will generate a 128-bit (16 byte) HMAC-SHA256
             key as described above. Longer keys are better, but shorter keys
-            are easier to read. Note that the maximum key length is 512 bits;
-            keys longer than that will be digested with MD5 to produce a
-            128-bit key.
+            are easier to read. Note that the maximum key length is the digest
+            length, here 256 bits.
           </para>
           <para>
-            <userinput>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</userinput>
+            <userinput>dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2.</userinput>
           </para>
           <para>
-            The key is in the file <filename>Khost1-host2.+157+00000.private</filename>.
+            The key is in the file <filename>Khost1-host2.+163+00000.private</filename>.
             Nothing directly uses this file, but the base-64 encoded string
             following "<literal>Key:</literal>"
             can be extracted from the file and used as a shared secret:
@@ -2108,18 +2107,16 @@ nameserver 172.16.72.4
 
 <programlisting>
 key host1-host2. {
-  algorithm hmac-md5;
+  algorithm hmac-sha256;
   secret "La/E5CjG9O+os1jq0a2jdA==";
 };
 </programlisting>
 
         <para>
-          The algorithm, <literal>hmac-md5</literal>, is the only one supported by <acronym>BIND</acronym>.
           The secret is the one generated above. Since this is a secret, it
-          is recommended that either <filename>named.conf</filename> be non-world
-          readable, or the key directive be added to a non-world readable
-          file that is included by
-          <filename>named.conf</filename>.
+          is recommended that either <filename>named.conf</filename> be
+          non-world readable, or the key directive be added to a non-world
+          readable file that is included by <filename>named.conf</filename>.
         </para>
         <para>
           At this point, the key is recognized. This means that if the