upstream/certbot
1
0
Fork 0
mirror of https://github.com/certbot/certbot.git synced 2026-05-28 04:34:11 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

docs: use modern tsig-keygen util in certbot-dns-rfc2136 (#9424)

Browse source 
Fixes #7206.

I think it's about time we did this:

- `dnssec-keygen` on new distros doesn't support the HMAC algorithms anymore, so our instructions don't work.
- The oldest distros we support are Debian Buster (`9.11.5.P4+dfsg-5.1+deb10u7`) and CentOS 7 (`9.11.4-26.P2.el7_9.9`), which ship `tsig-keygen` and support `HMAC-SHA512`.
This commit is contained in:
alexzorin 2022-10-18 10:55:00 +11:00 committed by GitHub
parent 314ded348e
commit 5270c34dd7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
certbot-dns-rfc2136/certbot_dns_rfc2136/__init__.py
View file

@ -107,12 +107,11 @@ permission to issue updates on the target DNS zone.
.. code-block:: bash
:caption: Generate a new SHA512 TSIG key
dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST keyname.
tsig-keygen -a HMAC-SHA512 keyname.
.. note::
There are a few tools shipped with BIND that can all generate TSIG keys;
``dnssec-keygen``, ``rndc-confgen``, and ``ddns-confgen``. Try and use the
most secure algorithm supported by your DNS server.
Prior to BIND version 9.10.0, you will need to use ``dnssec-keygen`` to generate
TSIG keys. Try and use the most secure algorithm supported by your DNS server.
.. code-block:: none
:caption: Sample BIND configuration