diff --git a/doc/dnssec-guide/getting-started.rst b/doc/dnssec-guide/getting-started.rst index bab31d288f..cfaac3b0b2 100644 --- a/doc/dnssec-guide/getting-started.rst +++ b/doc/dnssec-guide/getting-started.rst @@ -19,90 +19,11 @@ Getting Started Software Requirements ~~~~~~~~~~~~~~~~~~~~~ -.. _bind_version: +This guide assumes BIND 9.18.0 or newer, although the more elaborate manual +procedures do work with all versions of BIND later than 9.9. -BIND Version -^^^^^^^^^^^^ - -Most configuration examples given in this document require BIND version -9.16.0 or newer (although many do work with all versions of BIND -later than 9.9). To check the version of :iscman:`named` you have installed, -use the :option:`-v ` switch as shown below: - -:: - - # named -v - BIND 9.16.0 (Stable Release) - -Some configuration examples are added in BIND version 9.17 and backported -to 9.16. For example, NSEC3 configuration requires BIND version 9.16.9. - -We recommend you run the latest stable version to get the most complete -DNSSEC configuration, as well as the latest security fixes. - -.. _dnssec_support_in_bind: - -DNSSEC Support in BIND -^^^^^^^^^^^^^^^^^^^^^^ - -All versions of BIND 9 since BIND 9.7 can support DNSSEC, as currently -deployed in the global DNS, so the BIND software you are running most -likely already supports DNSSEC. Run the command :option:`named -V` -to see what flags it was built with. If it was built with OpenSSL -(``--with-openssl``), then it supports DNSSEC. Below is an example -of the output from running :option:`named -V`: - -:: - - $ named -V - BIND 9.16.0 (Stable Release) - running on Linux x86_64 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u4 (2019-07-19) - built by make with defaults - compiled by GCC 6.3.0 20170516 - compiled with OpenSSL version: OpenSSL 1.1.0l 10 Sep 2019 - linked to OpenSSL version: OpenSSL 1.1.0l 10 Sep 2019 - compiled with libxml2 version: 2.9.4 - linked to libxml2 version: 20904 - compiled with json-c version: 0.12.1 - linked to json-c version: 0.12.1 - compiled with zlib version: 1.2.8 - linked to zlib version: 1.2.8 - threads support is enabled - - default paths: - named configuration: /usr/local/etc/named.conf - rndc configuration: /usr/local/etc/rndc.conf - DNSSEC root key: /usr/local/etc/bind.keys - nsupdate session key: /usr/local/var/run/named/session.key - named PID file: /usr/local/var/run/named/named.pid - named lock file: /usr/local/var/run/named/named.lock - -If the BIND 9 software you have does not support DNSSEC, you should -upgrade it. (It has not been possible to build BIND without DNSSEC -support since BIND 9.13, released in 2018.) As well as missing out on -DNSSEC support, you are also missing a number of security fixes -made to the software in recent years. - -.. _system_entropy: - -System Entropy -^^^^^^^^^^^^^^ - -To deploy DNSSEC to your authoritative server, you -need to generate cryptographic keys. The amount of time it takes to -generate the keys depends on the source of randomness, or entropy, on -your systems. On some systems (especially virtual machines) with -insufficient entropy, it may take much longer than one cares to wait to -generate keys. - -There are software packages, such as ``haveged`` for Linux, that -provide additional entropy for a system. Once installed, they -significantly reduce the time needed to generate keys. - -The more entropy there is, the better pseudo-random numbers you get, and -the stronger the keys that are generated. If you want or need high-quality random -numbers, take a look at :ref:`hardware_security_modules` for some of -the hardware-based solutions. +We recommend running the latest stable version to get the most +complete DNSSEC configuration, as well as the latest security fixes. .. _hardware_requirements: diff --git a/doc/dnssec-guide/introduction.rst b/doc/dnssec-guide/introduction.rst index 818c7e2681..ad0a04f8aa 100644 --- a/doc/dnssec-guide/introduction.rst +++ b/doc/dnssec-guide/introduction.rst @@ -27,9 +27,9 @@ be a part of his or her environment, and understand what it means to deploy it i field. This guide provides basic information on how to configure DNSSEC using -BIND 9.16.0 or later. Most of the information and examples in this guide also +BIND 9.16.9 or later. Most of the information and examples in this guide also apply to versions of BIND later than 9.9.0, but some of the key features described here -were only introduced in version 9.16.0. Readers are assumed to have basic +were only introduced in version 9.16.9. Readers are assumed to have basic working knowledge of the Domain Name System (DNS) and related network infrastructure, such as concepts of TCP/IP. In-depth knowledge of DNS and TCP/IP is not required. The guide assumes no prior knowledge of DNSSEC or diff --git a/doc/dnssec-guide/signing.rst b/doc/dnssec-guide/signing.rst index ad36fa0a94..d95a267a1d 100644 --- a/doc/dnssec-guide/signing.rst +++ b/doc/dnssec-guide/signing.rst @@ -1162,10 +1162,6 @@ essentially a hash of the key itself. Make sure these files are readable by :iscman:`named` and make sure that the ``.private`` files are not readable by anyone else. -Refer to :ref:`system_entropy` for information on how to -speed up the key generation process if your random number generator has -insufficient entropy. - Setting Key Timing Information ++++++++++++++++++++++++++++++ diff --git a/doc/dnssec-guide/validation.rst b/doc/dnssec-guide/validation.rst index d4a0dfcead..e2ed95cc23 100644 --- a/doc/dnssec-guide/validation.rst +++ b/doc/dnssec-guide/validation.rst @@ -52,11 +52,9 @@ add one line to the ``options`` section of your configuration file: Restart :iscman:`named` or run :option:`rndc reconfig`, and your recursive server is now happily validating each DNS response. If this does not work for you, -and you have already verified DNSSEC support as described in -:ref:`dnssec_support_in_bind`, you may have some other -network-related configurations that need to be adjusted. Take a look at -:ref:`network_requirements` to make sure your network is ready for -DNSSEC. +you may have some other network-related configurations that need to be +adjusted. Take a look at :ref:`network_requirements` to make sure your network +is ready for DNSSEC. .. _effect_of_enabling_validation: