diff options
author | alexzorin <alex@zorin.id.au> | 2022-10-18 02:55:00 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-10-18 02:55:00 +0300 |
commit | 5270c34dd79e2dfc28017afc152d0ec68763fbcf (patch) | |
tree | 6ce441b1f16a621a664db1508536c27aa085b49d | |
parent | 314ded348e31279cb9357bedab63d1bd9c668969 (diff) |
docs: use modern tsig-keygen util in certbot-dns-rfc2136 (#9424)
Fixes #7206.
I think it's about time we did this:
- `dnssec-keygen` on new distros doesn't support the HMAC algorithms anymore, so our instructions don't work.
- The oldest distros we support are Debian Buster (`9.11.5.P4+dfsg-5.1+deb10u7`) and CentOS 7 (`9.11.4-26.P2.el7_9.9`), which ship `tsig-keygen` and support `HMAC-SHA512`.
-rw-r--r-- | certbot-dns-rfc2136/certbot_dns_rfc2136/__init__.py | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/certbot-dns-rfc2136/certbot_dns_rfc2136/__init__.py b/certbot-dns-rfc2136/certbot_dns_rfc2136/__init__.py index e06cef5a7..19734d29b 100644 --- a/certbot-dns-rfc2136/certbot_dns_rfc2136/__init__.py +++ b/certbot-dns-rfc2136/certbot_dns_rfc2136/__init__.py @@ -107,12 +107,11 @@ permission to issue updates on the target DNS zone. .. code-block:: bash :caption: Generate a new SHA512 TSIG key - dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST keyname. + tsig-keygen -a HMAC-SHA512 keyname. .. note:: - There are a few tools shipped with BIND that can all generate TSIG keys; - ``dnssec-keygen``, ``rndc-confgen``, and ``ddns-confgen``. Try and use the - most secure algorithm supported by your DNS server. + Prior to BIND version 9.10.0, you will need to use ``dnssec-keygen`` to generate + TSIG keys. Try and use the most secure algorithm supported by your DNS server. .. code-block:: none :caption: Sample BIND configuration |