upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 02:39:59 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

[master] clarify CHANGES, add relnote

Browse source
This commit is contained in:
Evan Hunt 2017-09-16 12:06:54 -07:00
parent ad67f0bb42
commit 61996344fe
2 changed files with 27 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
CHANGES
View file

@ -1,13 +1,12 @@
4724. [func] Added the --enable-crypto-rand configure flag
(yes by default): when the random file (-r command
line argument) is set to "openssl" the entropy/random
source is the OpenSSL RAND routine. This is suitable
for virtual machine environment without a hardware
random generator but makes random generation not
reproducible. Note with native PKCS#11 the
entropy/random source will unconditionally be
C_GenerateRandom() i.e. the PKCS#11 random API.
[RT #31459]
4724. [func] When the random device (i.e. the "random-device"
option in named.conf, or the -r command line option
in various tools) is set to "openssl", the OpenSSL
RAND routine is used as the source of entropy/
randomness. This is suitable for a virtual
machine environment without a hardware random
number generator. This behavior can be overridden
by using "configure --disable-crypto-rand" or
native PKCS#11. [RT #31459]
4723. [bug] Statistics counter DNSTAPdropped was misidentified
as DNSSECdropped. [RT #46002]

18
doc/arm/notes.xml
View file

@ -363,6 +363,24 @@
"[ECS <replaceable>address/source/scope</replaceable>]".
</para>
</listitem>
<listitem>
<para>
When <command>named</command> is linked with OpenSSL, the
OpenSSL RAND routine can be used as the source of entropy/
randomness by specifying
<command>random-device openssl;</command> in
<filename>named.conf</filename>. It can also be used in tools
such as <command>dnssec-keygen</command>,
<command>tsig-keygen</command>,
and <command>nsupdate</command> by specifying
<command>-r openssl</command> on the command line.
This is suitable for a virtual machine environment without
a hardware random number generator.
This behavior can be overridden by using
<command>configure --disable-crypto-rand</command> or
building with native PKCS#11. [RT #31459]
</para>
</listitem>
</itemizedlist>
</section>