Remove outdated software requirements from DNSSEC Guide

Guide in this repo is tied to latest version anyway, so let's not even mention ancient versions of BIND. This also solves the OpenSSL question because it is now mandatory for build, which subsequently removes the entropy problem - so let's not mention it either.
2025-08-31 06:25:31 +00:00 · 2022-06-10 13:43:14 +02:00
parent 6923f7973b
commit 6e79877759
3 changed files with 7 additions and 92 deletions
--- a/doc/dnssec-guide/getting-started.rst
+++ b/doc/dnssec-guide/getting-started.rst
@@ -19,90 +19,11 @@ Getting Started
 Software Requirements
 ~~~~~~~~~~~~~~~~~~~~~

-.. _bind_version:
+This guide assumes BIND 9.18.0 or newer, although the more elaborate manual
+procedures do work with all versions of BIND later than 9.9.

-BIND Version
-^^^^^^^^^^^^
-
-Most configuration examples given in this document require BIND version
-9.16.0 or newer (although many do work with all versions of BIND
-later than 9.9). To check the version of :iscman:`named` you have installed,
-use the :option:`-v <named -v>` switch as shown below:
-
-::
-
-   # named -v
-   BIND 9.16.0 (Stable Release) <id:6270e602ea>
-
-Some configuration examples are added in BIND version 9.17 and backported
-to 9.16. For example, NSEC3 configuration requires BIND version 9.16.9.
-
-We recommend you run the latest stable version to get the most complete
-DNSSEC configuration, as well as the latest security fixes.
-
-.. _dnssec_support_in_bind:
-
-DNSSEC Support in BIND
-^^^^^^^^^^^^^^^^^^^^^^
-
-All versions of BIND 9 since BIND 9.7 can support DNSSEC, as currently
-deployed in the global DNS, so the BIND software you are running most
-likely already supports DNSSEC. Run the command :option:`named -V`
-to see what flags it was built with. If it was built with OpenSSL
-(``--with-openssl``), then it supports DNSSEC. Below is an example
-of the output from running :option:`named -V`:
-
-::
-
-   $ named -V
-   BIND 9.16.0 (Stable Release) <id:6270e602ea>
-   running on Linux x86_64 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u4 (2019-07-19)
-   built by make with defaults
-   compiled by GCC 6.3.0 20170516
-   compiled with OpenSSL version: OpenSSL 1.1.0l  10 Sep 2019
-   linked to OpenSSL version: OpenSSL 1.1.0l  10 Sep 2019
-   compiled with libxml2 version: 2.9.4
-   linked to libxml2 version: 20904
-   compiled with json-c version: 0.12.1
-   linked to json-c version: 0.12.1
-   compiled with zlib version: 1.2.8
-   linked to zlib version: 1.2.8
-   threads support is enabled
-
-   default paths:
-     named configuration:  /usr/local/etc/named.conf
-     rndc configuration:   /usr/local/etc/rndc.conf
-     DNSSEC root key:      /usr/local/etc/bind.keys
-     nsupdate session key: /usr/local/var/run/named/session.key
-     named PID file:       /usr/local/var/run/named/named.pid
-     named lock file:      /usr/local/var/run/named/named.lock
-
-If the BIND 9 software you have does not support DNSSEC, you should
-upgrade it. (It has not been possible to build BIND without DNSSEC
-support since BIND 9.13, released in 2018.) As well as missing out on
-DNSSEC support, you are also missing a number of security fixes
-made to the software in recent years.
-
-.. _system_entropy:
-
-System Entropy
-^^^^^^^^^^^^^^
-
-To deploy DNSSEC to your authoritative server, you
-need to generate cryptographic keys. The amount of time it takes to
-generate the keys depends on the source of randomness, or entropy, on
-your systems. On some systems (especially virtual machines) with
-insufficient entropy, it may take much longer than one cares to wait to
-generate keys.
-
-There are software packages, such as ``haveged`` for Linux, that
-provide additional entropy for a system. Once installed, they
-significantly reduce the time needed to generate keys.
-
-The more entropy there is, the better pseudo-random numbers you get, and
-the stronger the keys that are generated. If you want or need high-quality random
-numbers, take a look at :ref:`hardware_security_modules` for some of
-the hardware-based solutions.
+We recommend running the latest stable version to get the most
+complete DNSSEC configuration, as well as the latest security fixes.

 .. _hardware_requirements:

--- a/doc/dnssec-guide/signing.rst
+++ b/doc/dnssec-guide/signing.rst
@@ -1162,10 +1162,6 @@ essentially a hash of the key itself.
 Make sure these files are readable by :iscman:`named` and make sure that the
 ``.private`` files are not readable by anyone else.

-Refer to :ref:`system_entropy` for information on how to
-speed up the key generation process if your random number generator has
-insufficient entropy.
-
 Setting Key Timing Information
 ++++++++++++++++++++++++++++++

--- a/doc/dnssec-guide/validation.rst
+++ b/doc/dnssec-guide/validation.rst
@@ -52,11 +52,9 @@ add one line to the ``options`` section of your configuration file:

 Restart :iscman:`named` or run :option:`rndc reconfig`, and your recursive server is
 now happily validating each DNS response. If this does not work for you,
-and you have already verified DNSSEC support as described in
-:ref:`dnssec_support_in_bind`, you may have some other
-network-related configurations that need to be adjusted. Take a look at
-:ref:`network_requirements` to make sure your network is ready for
-DNSSEC.
+you may have some other network-related configurations that need to be
+adjusted. Take a look at :ref:`network_requirements` to make sure your network
+is ready for DNSSEC.

 .. _effect_of_enabling_validation: