From: Evan Hunt <each@isc.org>
Date: Mon, 5 Oct 2009 01:49:59 +0000 (+0000)
Subject: 2701.	[doc]		Correction to ARM: hmac-md5 is no longer the only
X-Git-Tag: v9.7.0b1~69
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=48b6d2f585d753ac89a11cb5bafb14f239e08430;p=thirdparty%2Fbind9.git

2701.	[doc]		Correction to ARM: hmac-md5 is no longer the only
			supported TSIG key algorithm. [RT #18046]
---

diff --git a/CHANGES b/CHANGES
index 958313aa2ae..5e2513734dc 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2701.	[doc]		Correction to ARM: hmac-md5 is no longer the only
+			supported TSIG key algorithm. [RT #18046]
+
 2700.	[doc]		The match-mapped-addresses option is discouraged.
 			[RT #12252]
 
diff --git a/FAQ b/FAQ
index 4df1d764ce8..a2d1686c4eb 100644
--- a/FAQ
+++ b/FAQ
@@ -153,8 +153,8 @@ A: BIND 9.3 and later: Use TSIG to select the appropriate view.
 
    Master 10.0.1.1:
            key "external" {
-                   algorithm hmac-md5;
-                   secret "xxxxxxxx";
+                   algorithm hmac-sha256;
+                   secret "xxxxxxxxxxxxxxxxxxxxxxxx";
            };
            view "internal" {
                    match-clients { !key external; // reject message ment for the
@@ -174,8 +174,8 @@ A: BIND 9.3 and later: Use TSIG to select the appropriate view.
 
    Slave 10.0.1.2:
            key "external" {
-                   algorithm hmac-md5;
-                   secret "xxxxxxxx";
+                   algorithm hmac-sha256;
+                   secret "xxxxxxxxxxxxxxxxxxxxxxxx";
            };
            view "internal" {
                    match-clients { !key external; 10.0.1/24; };
@@ -225,13 +225,13 @@ A: You choose one view to be master and the second a slave and transfer
 
    Master 10.0.1.1:
            key "external" {
-                   algorithm hmac-md5;
-                   secret "xxxxxxxx";
+                   algorithm hmac-sha256;
+                   secret "xxxxxxxxxxxxxxxxxxxxxxxx";
            };
 
            key "mykey" {
-                   algorithm hmac-md5;
-                   secret "yyyyyyyy";
+                   algorithm hmac-sha256;
+                   secret "yyyyyyyyyyyyyyyyyyyyyyyy";
            };
 
            view "internal" {
diff --git a/FAQ.xml b/FAQ.xml
index 7e7a4bab070..ea51916599a 100644
--- a/FAQ.xml
+++ b/FAQ.xml
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: FAQ.xml,v 1.50 2009/08/19 23:38:11 marka Exp $ -->
+<!-- $Id: FAQ.xml,v 1.51 2009/10/05 01:49:59 each Exp $ -->
 
 <article class="faq">
   <title>Frequently Asked Questions about BIND 9</title>
@@ -319,8 +319,8 @@ Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
 	  <programlisting>
 Master 10.0.1.1:
 	key "external" {
-		algorithm hmac-md5;
-		secret "xxxxxxxx";
+		algorithm hmac-sha256;
+		secret "xxxxxxxxxxxxxxxxxxxxxxxx";
 	};
 	view "internal" {
 		match-clients { !key external; // reject message ment for the
@@ -340,8 +340,8 @@ Master 10.0.1.1:
 
 Slave 10.0.1.2:
 	key "external" {
-		algorithm hmac-md5;
-		secret "xxxxxxxx";
+		algorithm hmac-sha256;
+		secret "xxxxxxxxxxxxxxxxxxxxxxxx";
 	};
 	view "internal" {
 		match-clients { !key external; 10.0.1/24; };
@@ -429,13 +429,13 @@ named-checkzone example.com tmp</programlisting>
 	  <programlisting>
 Master 10.0.1.1:
 	key "external" {
-		algorithm hmac-md5;
-		secret "xxxxxxxx";
+		algorithm hmac-sha256;
+		secret "xxxxxxxxxxxxxxxxxxxxxxxx";
 	};
 
 	key "mykey" {
-		algorithm hmac-md5;
-		secret "yyyyyyyy";
+		algorithm hmac-sha256;
+		secret "yyyyyyyyyyyyyyyyyyyyyyyy";
 	};
 
 	view "internal" {
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 7cc9de752ef..ee4af5b9d30 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.429 2009/10/03 23:35:28 each Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.430 2009/10/05 01:49:59 each Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
   <title>BIND 9 Administrator Reference Manual</title>
 
@@ -2086,17 +2086,16 @@ nameserver 172.16.72.4
         <sect3>
           <title>Automatic Generation</title>
           <para>
-            The following command will generate a 128-bit (16 byte) HMAC-MD5
+            The following command will generate a 128-bit (16 byte) HMAC-SHA256
             key as described above. Longer keys are better, but shorter keys
-            are easier to read. Note that the maximum key length is 512 bits;
-            keys longer than that will be digested with MD5 to produce a
-            128-bit key.
+            are easier to read. Note that the maximum key length is the digest
+            length, here 256 bits.
           </para>
           <para>
-            <userinput>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</userinput>
+            <userinput>dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2.</userinput>
           </para>
           <para>
-            The key is in the file <filename>Khost1-host2.+157+00000.private</filename>.
+            The key is in the file <filename>Khost1-host2.+163+00000.private</filename>.
             Nothing directly uses this file, but the base-64 encoded string
             following "<literal>Key:</literal>"
             can be extracted from the file and used as a shared secret:
@@ -2138,18 +2137,16 @@ nameserver 172.16.72.4
 
 <programlisting>
 key host1-host2. {
-  algorithm hmac-md5;
+  algorithm hmac-sha256;
   secret "La/E5CjG9O+os1jq0a2jdA==";
 };
 </programlisting>
 
         <para>
-          The algorithm, <literal>hmac-md5</literal>, is the only one supported by <acronym>BIND</acronym>.
           The secret is the one generated above. Since this is a secret, it
-          is recommended that either <filename>named.conf</filename> be non-world
-          readable, or the key directive be added to a non-world readable
-          file that is included by
-          <filename>named.conf</filename>.
+          is recommended that either <filename>named.conf</filename> be
+          non-world readable, or the key directive be added to a non-world
+          readable file that is included by <filename>named.conf</filename>.
         </para>
         <para>
           At this point, the key is recognized. This means that if the