From d69530cae80c43348e8bf614f0a2688cc7e4a288 Mon Sep 17 00:00:00 2001 From: Tony Finch Date: Wed, 13 Mar 2019 15:47:31 +0000 Subject: [PATCH] A bit more cleanup in the dnssec-keygen manual Remove another remnant of shared secret HMAC-MD5 support. Explain that with currently recommended setups DNSKEY records are inserted automatically, but you can still use $INCLUDE in other cases. (cherry picked from commit acc3fa04b7ea29d72637f5166469a88d7f4208b8) --- CHANGES | 2 ++ bin/dnssec/dnssec-keygen.docbook | 15 ++++++--------- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/CHANGES b/CHANGES index 9ce4d661f4..c230e593d0 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +5186. [cleanup] More dnssec-keygen manual tidying. [GL !1678] + 5184. [bug] Missing unlocks in sdlz.c. [GL #936] 5183. [bug] Reinitialize ECS data before reusing client diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook index a56ded92b9..8d157adb54 100644 --- a/bin/dnssec/dnssec-keygen.docbook +++ b/bin/dnssec/dnssec-keygen.docbook @@ -571,10 +571,12 @@ key. - The .key file contains a DNS KEY record - that - can be inserted into a zone file (directly or with a $INCLUDE - statement). + The .key file contains a DNSKEY or KEY record. + When a zone is being signed by named + or dnssec-signzone , DNSKEY + records are included automatically. In other cases, + the .key file can be inserted into a zone file + manually or with a $INCLUDE statement. The .private file contains @@ -582,11 +584,6 @@ fields. For obvious security reasons, this file does not have general read permission. - - Both .key and .private - files are generated for symmetric cryptography algorithms such as - HMAC-MD5, even though the public and private key are equivalent. - EXAMPLE