From: Evan Hunt Date: Sat, 16 Sep 2017 19:06:54 +0000 (-0700) Subject: [master] clarify CHANGES, add relnote X-Git-Tag: v9.12.0b1~186 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=61996344fed3fa5a2a095653c38aeb735c79ff53;p=thirdparty%2Fbind9.git [master] clarify CHANGES, add relnote --- diff --git a/CHANGES b/CHANGES index b42cedc4416..09b2629ec7c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,13 +1,12 @@ -4724. [func] Added the --enable-crypto-rand configure flag - (yes by default): when the random file (-r command - line argument) is set to "openssl" the entropy/random - source is the OpenSSL RAND routine. This is suitable - for virtual machine environment without a hardware - random generator but makes random generation not - reproducible. Note with native PKCS#11 the - entropy/random source will unconditionally be - C_GenerateRandom() i.e. the PKCS#11 random API. - [RT #31459] +4724. [func] When the random device (i.e. the "random-device" + option in named.conf, or the -r command line option + in various tools) is set to "openssl", the OpenSSL + RAND routine is used as the source of entropy/ + randomness. This is suitable for a virtual + machine environment without a hardware random + number generator. This behavior can be overridden + by using "configure --disable-crypto-rand" or + native PKCS#11. [RT #31459] 4723. [bug] Statistics counter DNSTAPdropped was misidentified as DNSSECdropped. [RT #46002] diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index c21ea3f13ac..ea7049204f3 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -363,6 +363,24 @@ "[ECS address/source/scope]". + + + When named is linked with OpenSSL, the + OpenSSL RAND routine can be used as the source of entropy/ + randomness by specifying + random-device openssl; in + named.conf. It can also be used in tools + such as dnssec-keygen, + tsig-keygen, + and nsupdate by specifying + -r openssl on the command line. + This is suitable for a virtual machine environment without + a hardware random number generator. + This behavior can be overridden by using + configure --disable-crypto-rand or + building with native PKCS#11. [RT #31459] + +