regen master

bin/confgen/rndc-confgen.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -111,7 +111,9 @@ as directed\&.
 .PP
 \-A \fIalgorithm\fR
 .RS 4
-Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-md5 or if MD5 was disabled hmac\-sha256\&.
+Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-md5, or if MD5 was disabled at compile time, hmac\-sha256\&.
+.sp
+Note: Use of hmac\-md5 is no longer recommended, and the default value will be changed to hmac\-sha256 in a future release\&.
 .RE
 .PP
 \-b \fIkeysize\fR
@@ -217,5 +219,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/confgen/rndc-confgen.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -113,8 +113,12 @@
           <p>
             Specifies the algorithm to use for the TSIG key.  Available
             choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
-            hmac-sha384 and hmac-sha512.  The default is hmac-md5 or
+            hmac-sha384 and hmac-sha512.  The default is hmac-md5, or
-            if MD5 was disabled hmac-sha256.
+            if MD5 was disabled at compile time, hmac-sha256.
+          </p>
+          <p>
+            Note: Use of hmac-md5 is no longer recommended, and the default
+            value will be changed to hmac-sha256 in a future release.
           </p>
         </dd>
 <dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>

bin/dnssec/dnssec-keygen.8

@@ -62,12 +62,15 @@ may be preferable to direct use of
 .RS 4
 Selects the cryptographic algorithm\&. For DNSSEC keys, the value of
 \fBalgorithm\fR
-must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TSIG/TKEY keys, the value must be one of DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512; specifying any of these algorithms will automatically set the
+must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TKEY and SIG(0) keys, the value must be DH (Diffie Hellman); specifying this value will automatically set the
 \fB\-T KEY\fR
-option as well\&. (Note:
+option as well\&.
+.sp
+TSIG keys can also by generated by setting the value to one of HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512\&. As with DH, specifying these values will automatically set
+\fB\-T KEY\fR\&. Note, however, that
 \fBtsig\-keygen\fR
-produces TSIG keys in a more useful format than
+produces TSIG keys in a more useful format\&. These algorithms have been deprecated in
-\fBdnssec\-keygen\fR\&.)
+\fBdnssec\-keygen\fR, and will be removed in a future release\&.
 .sp
 These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 or DSA is specified along with the
 \fB\-3\fR
@@ -75,7 +78,7 @@ option, then NSEC3RSASHA1 or NSEC3DSA will be used instead\&.
 .sp
 As of BIND 9\&.12\&.0, this option is mandatory except when using the
 \fB\-S\fR
-option (which copies the algorithm from the predecessor key)\&. Previously, the default for newly generated keys was RSASHA1\&.
+option, which copies the algorithm from the predecessor key\&. Previously, the default for newly generated keys was RSASHA1\&.
 .RE
 .PP
 \-b \fIkeysize\fR

bin/dnssec/dnssec-keygen.html

@@ -103,12 +103,19 @@
 	    of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
 	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
 	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.  For
-            TSIG/TKEY keys, the value must be one of DH (Diffie Hellman),
+	    TKEY and SIG(0) keys, the value must be DH (Diffie Hellman);
-            HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384,
+	    specifying this value will automatically set the
-            or HMAC-SHA512; specifying any of these algorithms will
+	    <code class="option">-T KEY</code> option as well.
-            automatically set the <code class="option">-T KEY</code> option as well.
+	  </p>
-            (Note: <span class="command"><strong>tsig-keygen</strong></span> produces TSIG keys in a
+	  <p>
-            more useful format than <span class="command"><strong>dnssec-keygen</strong></span>.)
+	    TSIG keys can also by generated by setting the value to
+	    one of HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256,
+	    HMAC-SHA384, or HMAC-SHA512.  As with DH, specifying these
+	    values will automatically set <code class="option">-T KEY</code>. Note,
+	    however, that <span class="command"><strong>tsig-keygen</strong></span> produces TSIG keys
+	    in a more useful format. These algorithms have been deprecated
+	    in <span class="command"><strong>dnssec-keygen</strong></span>, and will be removed in a
+	    future release.
 	  </p>
 	  <p>
 	    These values are case insensitive. In some cases, abbreviations
@@ -119,8 +126,8 @@
 	  </p>
 	  <p>
 	    As of BIND 9.12.0, this option is mandatory except when using
-	    the <code class="option">-S</code> option (which copies the algorithm from
+	    the <code class="option">-S</code> option, which copies the algorithm from
-	    the predecessor key).  Previously, the default for newly
+	    the predecessor key.  Previously, the default for newly
 	    generated keys was RSASHA1.
 	  </p>
 	</dd>

doc/arm/Bv9ARM.ch06.html

@@ -9988,6 +9988,20 @@ view "external" {
                     See caveats in <a class="xref" href="Bv9ARM.ch06.html#root_delegation_only"><span class="command"><strong>root-delegation-only</strong></span></a>.
                   </p>
                 </dd>
+<dt><span class="term"><span class="command"><strong>file</strong></span></span></dt>
+<dd>
+                  <p>
+                    Set the zone's filename. In <span class="command"><strong>master</strong></span>,
+                    <span class="command"><strong>hint</strong></span>, and <span class="command"><strong>redirect</strong></span>
+                    zones which do not have <span class="command"><strong>masters</strong></span>
+                    defined, zone data is loaded from this file. In
+                    <span class="command"><strong>slave</strong></span>, <span class="command"><strong>stub</strong></span>, and
+                    <span class="command"><strong>redirect</strong></span> zones which do have
+                    <span class="command"><strong>masters</strong></span> defined, zone data is
+                    retrieved from another server and saved in this file.
+                    This option is not applicable to other zone types.
+                  </p>
+                </dd>
 <dt><span class="term"><span class="command"><strong>forward</strong></span></span></dt>
 <dd>
                   <p>

doc/arm/Bv9ARM.ch09.html

@@ -528,6 +528,28 @@
 	  they are set.
 	</p>
       </li>
+<li class="listitem">
+	<p>
+	  The use of <span class="command"><strong>dnssec-keygen</strong></span> to generate
+	  HMAC keys for TSIG authentication has been deprecated in favor
+	  of <span class="command"><strong>tsig-keygen</strong></span>. If the algorithms HMAC-MD5,
+	  HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, or
+	  HMAC-SHA512 are specified, <span class="command"><strong>dnssec-keygen</strong></span>
+	  will print a warning message. These algorithms will be
+	  removed from <span class="command"><strong>dnssec-keygen</strong></span> entirely in
+	  a future release. [RT #42272]
+	</p>
+      </li>
+<li class="listitem">
+	<p>
+	  The use of HMAC-MD5 for RNDC keys is no longer recommended.
+	  For compatibility, this is still the default algorithm generated
+	  by <span class="command"><strong>rndc-confgen</strong></span>, but it will print a
+	  warning message. The default algorithm in
+	  <span class="command"><strong>rndc-confgen</strong></span> will be changed to HMAC-SHA256
+	  in a future release. [RT #42272]
+	</p>
+      </li>
 </ul></div>
   </div>
 

doc/arm/man.dnssec-keygen.html

@@ -121,12 +121,19 @@
 	    of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
 	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
 	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.  For
-            TSIG/TKEY keys, the value must be one of DH (Diffie Hellman),
+	    TKEY and SIG(0) keys, the value must be DH (Diffie Hellman);
-            HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384,
+	    specifying this value will automatically set the
-            or HMAC-SHA512; specifying any of these algorithms will
+	    <code class="option">-T KEY</code> option as well.
-            automatically set the <code class="option">-T KEY</code> option as well.
+	  </p>
-            (Note: <span class="command"><strong>tsig-keygen</strong></span> produces TSIG keys in a
+	  <p>
-            more useful format than <span class="command"><strong>dnssec-keygen</strong></span>.)
+	    TSIG keys can also by generated by setting the value to
+	    one of HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256,
+	    HMAC-SHA384, or HMAC-SHA512.  As with DH, specifying these
+	    values will automatically set <code class="option">-T KEY</code>. Note,
+	    however, that <span class="command"><strong>tsig-keygen</strong></span> produces TSIG keys
+	    in a more useful format. These algorithms have been deprecated
+	    in <span class="command"><strong>dnssec-keygen</strong></span>, and will be removed in a
+	    future release.
 	  </p>
 	  <p>
 	    These values are case insensitive. In some cases, abbreviations
@@ -137,8 +144,8 @@
 	  </p>
 	  <p>
 	    As of BIND 9.12.0, this option is mandatory except when using
-	    the <code class="option">-S</code> option (which copies the algorithm from
+	    the <code class="option">-S</code> option, which copies the algorithm from
-	    the predecessor key).  Previously, the default for newly
+	    the predecessor key.  Previously, the default for newly
 	    generated keys was RSASHA1.
 	  </p>
 	</dd>

doc/arm/man.rndc-confgen.html

@@ -131,8 +131,12 @@
           <p>
             Specifies the algorithm to use for the TSIG key.  Available
             choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
-            hmac-sha384 and hmac-sha512.  The default is hmac-md5 or
+            hmac-sha384 and hmac-sha512.  The default is hmac-md5, or
-            if MD5 was disabled hmac-sha256.
+            if MD5 was disabled at compile time, hmac-sha256.
+          </p>
+          <p>
+            Note: Use of hmac-md5 is no longer recommended, and the default
+            value will be changed to hmac-sha256 in a future release.
           </p>
         </dd>
 <dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>

doc/arm/notes.html

@@ -488,6 +488,28 @@
 	  they are set.
 	</p>
       </li>
+<li class="listitem">
+	<p>
+	  The use of <span class="command"><strong>dnssec-keygen</strong></span> to generate
+	  HMAC keys for TSIG authentication has been deprecated in favor
+	  of <span class="command"><strong>tsig-keygen</strong></span>. If the algorithms HMAC-MD5,
+	  HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, or
+	  HMAC-SHA512 are specified, <span class="command"><strong>dnssec-keygen</strong></span>
+	  will print a warning message. These algorithms will be
+	  removed from <span class="command"><strong>dnssec-keygen</strong></span> entirely in
+	  a future release. [RT #42272]
+	</p>
+      </li>
+<li class="listitem">
+	<p>
+	  The use of HMAC-MD5 for RNDC keys is no longer recommended.
+	  For compatibility, this is still the default algorithm generated
+	  by <span class="command"><strong>rndc-confgen</strong></span>, but it will print a
+	  warning message. The default algorithm in
+	  <span class="command"><strong>rndc-confgen</strong></span> will be changed to HMAC-SHA256
+	  in a future release. [RT #42272]
+	</p>
+      </li>
 </ul></div>
   </div>