-.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.PP
\-A \fIalgorithm\fR
.RS 4
-Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-md5 or if MD5 was disabled hmac\-sha256\&.
+Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-md5, or if MD5 was disabled at compile time, hmac\-sha256\&.
+.sp
+Note: Use of hmac\-md5 is no longer recommended, and the default value will be changed to hmac\-sha256 in a future release\&.
.RE
.PP
\-b \fIkeysize\fR
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
<p>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
- hmac-sha384 and hmac-sha512. The default is hmac-md5 or
- if MD5 was disabled hmac-sha256.
+ hmac-sha384 and hmac-sha512. The default is hmac-md5, or
+ if MD5 was disabled at compile time, hmac-sha256.
+ </p>
+ <p>
+ Note: Use of hmac-md5 is no longer recommended, and the default
+ value will be changed to hmac-sha256 in a future release.
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
.RS 4
Selects the cryptographic algorithm\&. For DNSSEC keys, the value of
\fBalgorithm\fR
-must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TSIG/TKEY keys, the value must be one of DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512; specifying any of these algorithms will automatically set the
+must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TKEY and SIG(0) keys, the value must be DH (Diffie Hellman); specifying this value will automatically set the
\fB\-T KEY\fR
-option as well\&. (Note:
+option as well\&.
+.sp
+TSIG keys can also by generated by setting the value to one of HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512\&. As with DH, specifying these values will automatically set
+\fB\-T KEY\fR\&. Note, however, that
\fBtsig\-keygen\fR
-produces TSIG keys in a more useful format than
-\fBdnssec\-keygen\fR\&.)
+produces TSIG keys in a more useful format\&. These algorithms have been deprecated in
+\fBdnssec\-keygen\fR, and will be removed in a future release\&.
.sp
These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 or DSA is specified along with the
\fB\-3\fR
.sp
As of BIND 9\&.12\&.0, this option is mandatory except when using the
\fB\-S\fR
-option (which copies the algorithm from the predecessor key)\&. Previously, the default for newly generated keys was RSASHA1\&.
+option, which copies the algorithm from the predecessor key\&. Previously, the default for newly generated keys was RSASHA1\&.
.RE
.PP
\-b \fIkeysize\fR
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
- TSIG/TKEY keys, the value must be one of DH (Diffie Hellman),
- HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384,
- or HMAC-SHA512; specifying any of these algorithms will
- automatically set the <code class="option">-T KEY</code> option as well.
- (Note: <span class="command"><strong>tsig-keygen</strong></span> produces TSIG keys in a
- more useful format than <span class="command"><strong>dnssec-keygen</strong></span>.)
+ TKEY and SIG(0) keys, the value must be DH (Diffie Hellman);
+ specifying this value will automatically set the
+ <code class="option">-T KEY</code> option as well.
+ </p>
+ <p>
+ TSIG keys can also by generated by setting the value to
+ one of HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256,
+ HMAC-SHA384, or HMAC-SHA512. As with DH, specifying these
+ values will automatically set <code class="option">-T KEY</code>. Note,
+ however, that <span class="command"><strong>tsig-keygen</strong></span> produces TSIG keys
+ in a more useful format. These algorithms have been deprecated
+ in <span class="command"><strong>dnssec-keygen</strong></span>, and will be removed in a
+ future release.
</p>
<p>
These values are case insensitive. In some cases, abbreviations
</p>
<p>
As of BIND 9.12.0, this option is mandatory except when using
- the <code class="option">-S</code> option (which copies the algorithm from
- the predecessor key). Previously, the default for newly
+ the <code class="option">-S</code> option, which copies the algorithm from
+ the predecessor key. Previously, the default for newly
generated keys was RSASHA1.
</p>
</dd>
See caveats in <a class="xref" href="Bv9ARM.ch06.html#root_delegation_only"><span class="command"><strong>root-delegation-only</strong></span></a>.
</p>
</dd>
+<dt><span class="term"><span class="command"><strong>file</strong></span></span></dt>
+<dd>
+ <p>
+ Set the zone's filename. In <span class="command"><strong>master</strong></span>,
+ <span class="command"><strong>hint</strong></span>, and <span class="command"><strong>redirect</strong></span>
+ zones which do not have <span class="command"><strong>masters</strong></span>
+ defined, zone data is loaded from this file. In
+ <span class="command"><strong>slave</strong></span>, <span class="command"><strong>stub</strong></span>, and
+ <span class="command"><strong>redirect</strong></span> zones which do have
+ <span class="command"><strong>masters</strong></span> defined, zone data is
+ retrieved from another server and saved in this file.
+ This option is not applicable to other zone types.
+ </p>
+ </dd>
<dt><span class="term"><span class="command"><strong>forward</strong></span></span></dt>
<dd>
<p>
they are set.
</p>
</li>
+<li class="listitem">
+ <p>
+ The use of <span class="command"><strong>dnssec-keygen</strong></span> to generate
+ HMAC keys for TSIG authentication has been deprecated in favor
+ of <span class="command"><strong>tsig-keygen</strong></span>. If the algorithms HMAC-MD5,
+ HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, or
+ HMAC-SHA512 are specified, <span class="command"><strong>dnssec-keygen</strong></span>
+ will print a warning message. These algorithms will be
+ removed from <span class="command"><strong>dnssec-keygen</strong></span> entirely in
+ a future release. [RT #42272]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The use of HMAC-MD5 for RNDC keys is no longer recommended.
+ For compatibility, this is still the default algorithm generated
+ by <span class="command"><strong>rndc-confgen</strong></span>, but it will print a
+ warning message. The default algorithm in
+ <span class="command"><strong>rndc-confgen</strong></span> will be changed to HMAC-SHA256
+ in a future release. [RT #42272]
+ </p>
+ </li>
</ul></div>
</div>
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
- TSIG/TKEY keys, the value must be one of DH (Diffie Hellman),
- HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384,
- or HMAC-SHA512; specifying any of these algorithms will
- automatically set the <code class="option">-T KEY</code> option as well.
- (Note: <span class="command"><strong>tsig-keygen</strong></span> produces TSIG keys in a
- more useful format than <span class="command"><strong>dnssec-keygen</strong></span>.)
+ TKEY and SIG(0) keys, the value must be DH (Diffie Hellman);
+ specifying this value will automatically set the
+ <code class="option">-T KEY</code> option as well.
+ </p>
+ <p>
+ TSIG keys can also by generated by setting the value to
+ one of HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256,
+ HMAC-SHA384, or HMAC-SHA512. As with DH, specifying these
+ values will automatically set <code class="option">-T KEY</code>. Note,
+ however, that <span class="command"><strong>tsig-keygen</strong></span> produces TSIG keys
+ in a more useful format. These algorithms have been deprecated
+ in <span class="command"><strong>dnssec-keygen</strong></span>, and will be removed in a
+ future release.
</p>
<p>
These values are case insensitive. In some cases, abbreviations
</p>
<p>
As of BIND 9.12.0, this option is mandatory except when using
- the <code class="option">-S</code> option (which copies the algorithm from
- the predecessor key). Previously, the default for newly
+ the <code class="option">-S</code> option, which copies the algorithm from
+ the predecessor key. Previously, the default for newly
generated keys was RSASHA1.
</p>
</dd>
<p>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
- hmac-sha384 and hmac-sha512. The default is hmac-md5 or
- if MD5 was disabled hmac-sha256.
+ hmac-sha384 and hmac-sha512. The default is hmac-md5, or
+ if MD5 was disabled at compile time, hmac-sha256.
+ </p>
+ <p>
+ Note: Use of hmac-md5 is no longer recommended, and the default
+ value will be changed to hmac-sha256 in a future release.
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
they are set.
</p>
</li>
+<li class="listitem">
+ <p>
+ The use of <span class="command"><strong>dnssec-keygen</strong></span> to generate
+ HMAC keys for TSIG authentication has been deprecated in favor
+ of <span class="command"><strong>tsig-keygen</strong></span>. If the algorithms HMAC-MD5,
+ HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, or
+ HMAC-SHA512 are specified, <span class="command"><strong>dnssec-keygen</strong></span>
+ will print a warning message. These algorithms will be
+ removed from <span class="command"><strong>dnssec-keygen</strong></span> entirely in
+ a future release. [RT #42272]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The use of HMAC-MD5 for RNDC keys is no longer recommended.
+ For compatibility, this is still the default algorithm generated
+ by <span class="command"><strong>rndc-confgen</strong></span>, but it will print a
+ warning message. The default algorithm in
+ <span class="command"><strong>rndc-confgen</strong></span> will be changed to HMAC-SHA256
+ in a future release. [RT #42272]
+ </p>
+ </li>
</ul></div>
</div>
projects / thirdparty / bind9.git / commitdiff
